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Abstract 

One  key  step  in  the  Advanced  Encryption  Standard  (AES),  or  Rijndael,  algorithm 
is  called  the  “S-box”,  the  only  nonlinear  step  in  each  round  of  encryption/decryption. 
A  wide  variety  of  implementations  of  AES  have  been  proposed,  for  various  desiderata, 
that  effect  the  S-box  in  various  ways.  In  particular,  the  most  compact  implementation 
to  date  of  Satoh  et  al.  [12]  performs  the  8-bit  Galois  field  inversion  of  the  S-box  using 
subfields  of  4  bits  and  of  2  bits.  This  work  describes  a  refinement  of  this  approach 
that  minimizes  the  circuitry,  and  hence  the  chip  area,  required  for  the  S-box.  While 
Satoh[12]  used  polynomial  bases  at  each  level,  we  consider  also  normal  bases,  with 
arithmetic  optimizations;  altogether,  432  different  cases  were  considered.  The  isomor¬ 
phism  bit  matrices  are  fully  optimized,  improving  on  the  “greedy  algorithm.”  The  best 
case  reduces  the  number  of  gates  in  the  S-box  by  16%.  This  decrease  in  chip  area  could 
be  important  for  area-limited  hardware  implementations,  e.g.,  smart  cards.  And  for 
applications  using  larger  chips,  this  approach  could  allow  more  copies  of  the  S-box,  for 
parallelism  and/or  pipelining  in  non-feedback  modes  of  AES. 


1  Introduction 

The  Advanced  Encryption  Standard  (AES)  was  specified  in  2001  by  the  National  Institute 
of  Standards  and  Technology  [9].  The  purpose  is  to  provide  a  standard  algorithm  for  en¬ 
cryption,  strong  enough  to  keep  U.S.  government  documents  secure  for  at  least  the  next  20 
years.  The  earlier  Data  Encryption  Standard  (DES)  had  been  rendered  insecure  by  advances 
in  computing  power,  and  was  effectively  replaced  by  triple-DES.  Now  AES  will  largely  re¬ 
place  triple-DES  for  government  use,  and  will  likely  become  widely  adopted  for  a  variety  of 
encryption  needs,  such  as  secure  transactions  via  the  Internet.  As  Secretary  of  Commerce 
Norman  Y.  Mineta  put  it  in  announcing  AES,  “. . .  this  standard  will  serve  as  a  critical 
computer  security  tool  supporting  the  rapid  growth  of  electronic  commerce.  This  is  a  very 
significant  step  toward  creating  a  more  secure  digital  economy.  It  will  allow  e-commerce  and 
e-government  to  flourish  safely,  creating  new  opportunities  for  all  Americans.”  [7] 

A  wide  variety  of  approaches  to  implementing  AES  have  appeared,  to  satisfy  the  varying 
criteria  of  different  applications.  Some  approaches  seek  to  maximize  throughput,  e.g.,  [5],  [14] 
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and  [2];  others  minimize  power  consumption,  e.g.,  [6];  and  yet  others  minimize  circuitry,  e.g., 
[11],  [12],  [15],  and  [1].  For  the  latter  goal,  Rijmen[10]  suggested  using  subheld  arithmetic 
in  the  crucial  step  of  computing  an  inverse  in  the  Galois  Field  of  256  elements — essentially 
expressing  an  8-bit  calculation  in  terms  of  4-bit  ones.  This  idea  was  further  extended  by 
Satoh  et  al.[12],  breaking  up  the  4-bit  calculations  into  2-bit  ones,  which  resulted  in  the 
smallest  AES  circuit  to  date. 

The  current  work  improves  on  the  compact  implementation  of  [12]  in  the  following  ways. 
Many  (432)  choices  of  representation  (isomorphisms)  were  compared,  and  the  most  compact 
turns  out  to  use  a  normal  basis  for  each  subheld  ([12]  uses  a  polynomial  basis  for  each 
subheld).  And  while  [12]  used  the  “greedy  algorithm”  to  reduce  the  number  of  gates  in  the 
bit  matrices  required  in  changing  representations,  here  each  bit  matrix  is  fully  optimized, 
resulting  in  the  minimum  number  of  gates.  These  various  refinements  result  in  an  S-box 
circuit  that  is  16%  smaller,  a  significant  improvement. 

The  AES  algorithm,  also  called  the  Rijndael  algorithm,  is  a  symmetric  encryption  algo¬ 
rithm,  meaning  encryption  and  decryption  are  performed  by  essentially  the  same  steps.  It 
is  a  block  cipher,  where  the  data  is  encrypted/decrypted  in  blocks  of  128  bits.  (The  original 
Rijndael  algorithm  allows  other  block  sizes,  but  the  Standard  only  permits  128-bit  blocks.) 
Each  data  block  is  modified  by  several  “rounds”  of  processing,  where  each  round  involves 
four  steps.  Three  different  key  sizes  are  allowed:  128  bits,  192  bits,  or  256  bits,  and  the 
corresponding  number  of  rounds  for  each  is  10  rounds,  12  rounds,  or  14  rounds,  respectively. 
From  the  original  key,  a  different  “round  key”  is  computed  for  each  of  these  rounds.  For 
simplicity,  the  discussion  below  will  use  a  key  length  of  128  bits  and  hence  10  rounds. 

There  are  several  different  modes  in  which  AES  can  be  used  [8].  For  some  of  these,  such 
as  Cipher  Block  Chaining  (CBC),  the  result  of  encrypting  one  block  is  used  in  encrypting 
the  next.  These  are  called  feedback  modes,  and  the  feedback  effectively  precludes  pipelining 
(simultaneous  processing  of  several  blocks  in  the  “pipeline”).  Other  modes,  such  as  the 
“Electronic  Code  Book”  mode  or  “Counter”  modes,  do  not  require  feedback.  These  non¬ 
feedback  modes  may  be  pipelined  for  greater  throughput. 

The  four  steps  in  each  round  of  encryption,  in  order,  are  called  SubBytes  (byte  substitu¬ 
tion),  ShiftRows,  MixColumns,  and  AddRoundKey.  Before  the  first  round,  the  input  block 
is  processed  by  AddRoundKey;  one  could  consider  this  round  number  zero.  Also,  the  last 
round,  number  ten,  skips  the  MixColumns  step.  Otherwise,  all  rounds  are  the  same,  except 
each  uses  a  different  round  key,  and  the  output  of  one  round  becomes  the  input  for  the  next. 
(For  decryption,  the  mathematical  inverse  of  each  step  is  used,  in  reverse  order;  certain 
manipulations  allow  this  to  appear  like  the  same  steps  as  encryption  with  certain  constants 
changed.) 

Of  these  four  steps,  three  of  them  ( ShiftRows ,  MixColumns ,  and  AddRoundKey )  are 
linear ,  in  the  sense  that  the  output  128-bit  block  for  such  steps  is  just  the  linear  combination 
(bitwise,  modulo  2)  of  the  outputs  for  each  separate  input  bit.  These  three  steps  are  all  easy 
to  implement  by  direct  calculation  in  software  or  hardware. 

The  single  nonlinear  step  is  the  SubBytes  (byte  substitution)  step,  where  each  byte  (8 
bits)  of  the  input  is  replaced  by  the  result  of  applying  the  “S-box”  function  to  that  byte. 
This  nonlinear  function  involves  Ending  the  inverse  of  the  8-bit  number,  considered  as  an 
element  of  the  Galois  field  GF( 28).  This  is  not  a  simple  calculation,  and  so  many  current 
implementations  use  a  table  of  the  S-box  function  output;  the  input  byte  is  an  index  into 
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the  table  to  find  the  output.  This  table  look-up  method  is  fast  and  easy  to  implement. 

But  for  hardware  implementations  of  AES,  there  is  one  drawback  of  the  table  look-np 
approach  to  the  S-box  function:  each  copy  of  the  table  requires  256  bytes  of  storage,  along 
with  the  circuitry  to  address  the  table  and  fetch  the  results.  Each  of  the  16  bytes  in  a  block 
can  go  through  the  S-box  function  independently,  and  so  could  be  processed  in  parallel  for 
the  byte  substitution  step.  This  then  effectively  requires  16  copies  of  the  S-box  table  for  one 
round.  To  fully  pipeline  the  encryption  would  entail  “unrolling”  the  loop  of  10  rounds  into 
10  sequential  copies  of  the  round  calculation.  This  would  require  160  copies  of  the  S-box 
table,  a  significant  allocation  of  hardware  resources. 

In  contrast,  this  work  describes  a  direct  calculation  of  the  S-box  function  using  sub-field 
arithmetic,  similar  to  [12].  While  the  calculation  is  complicated  to  describe,  the  advantage 
is  that  the  circuitry  required  to  implement  this  in  hardware  is  relatively  simple,  in  terms 
of  the  number  of  logic  gates  required.  This  type  of  S-box  implementation  is  significantly 
smaller  (less  area)  than  the  table  it  replaces,  especially  with  the  optimizations  in  this  work. 
Furthermore,  when  chip  area  is  limited,  this  compact  implementation  may  allow  parallelism 
in  each  round  and/or  unrolling  of  the  round  loop,  for  a  significant  gain  in  speed. 

The  rest  of  the  paper  describes  the  algorithm  in  detail.  Section  2  describes  some  basics 
of  Galois  field  arithmetic  and  representations,  essential  to  the  algorithm.  The  basic  idea  of 
the  algorithm  is  explained  in  Section  3.  Section  4  discusses  ways  to  optimize  the  calculation, 
Section  5  describes  the  choices  of  representation,  and  Section  6  gives  the  detailed  formulas 
of  the  algorithm.  Finally,  Section  7  summarizes  the  work. 


2  Galois  Fields  GF{ T) 

Finite  fields,  or  Galois  fields,  are  important  in  many  applications,  such  as  error-correcting 
codes[4],  and  have  been  studied  extensively  (one  good  reference  is  [3]).  Here  we  give  only  a 
brief,  informal  introduction  to  the  properties  necessary  for  the  AES  algorithm. 

A  field  is  a  set  F  of  elements  with  two  binary  operations,  say  ©  and  ®.  We  will  call 
these  addition  and  multiplication,  and  will  sometimes  use  the  standard  notation  a  +  b  and 
ab  instead  of  a  ©  b  and  a  ®  b,  for  simplicity.  These  operations  must  satisfy  certain  properties 
(here  a,b,c  represent  arbitrary  elements  of  F): 

1.  the  set  is  closed  with  respect  to  both  operations: 

(a)  a  ©  b  G  F 

(b)  a  <E>  b  G  F 

2.  both  operations  are  associative: 

(a)  (a  ©  b)  ©  c  =  a  ©  (b  ©  c) 

(b)  (a  ®  b)  ©  c  =  a  <E>  (b  <S>  c) 

3.  both  operations  are  commutative : 

(a)  a  ©  b  =  b  ©  a 
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(b)  a  <E>  b  =  b  <E>  a 

4.  the  operations  obey  the  distributive  law:  (a  ©  b)  ®  c  =  (a  ®  c)  ©  [b  ®  c) 

5.  each  operation  has  an  identity  (call  the  identities  0  and  1): 

(a)  a  ©  0  =  a 

(b)  a  0  1  =  a 

6.  each  element  a  has  an  additive  inverse  (say  q):  a©g  =  0  (this  defines  subtraction;  the 
standard  notation  for  the  additive  inverse  of  a  is  —a) 

7.  each  nonzero  element  a^O  has  a  multiplicative  inverse  (say  r):  a®r  =  1  (this  defines 
division;  the  standard  notation  for  the  multiplicative  inverse  of  a  is  a-1) 

Familiar  examples  are  the  held  of  rational  numbers,  the  held  of  real  numbers,  and  the  held 
of  complex  numbers.  If  a  subset  of  a  held  is  itself  a  held,  using  the  same  operations,  then  it 
is  called  a  subfield.  For  example,  the  rational  numbers  is  a  subheld  of  the  real  numbers. 

If  a  held  has  only  a  finite  number  of  elements,  it  is  a  finite  field.  But  given  some  hnite 
set,  it  is  not  always  possible  to  dehne  two  operations  with  the  above  properties;  it  is  only 
possible  if  the  number  of  elements  in  the  set  is  of  the  form  pn  where  p  is  a  prime  number 
and  n  is  a  positive  integer.  Then  pn  is  called  the  order  of  the  held  and  p  is  called  the 
characteristic  of  the  held.  So  there  is  no  held  of  6  elements,  for  example,  but  there  is  a  held 
of  7  elements  and  a  held  of  8  (=  23)  elements.  Given  a  set  of  p"  elements  there  may  be  more 
than  one  way  to  dehne  the  operations  to  produce  a  held,  but  these  different  ways  give  helds 
that  are  isomorphic:  by  changing  the  names  we  can  change  one  held  into  the  other — the 
structure  remains  the  same.  So  in  this  sense  there  is  only  one  hnite  held  for  a  given  number 
of  elements  pn ;  we  call  this  the  Galois  Field  GF(pn).  (We  will  also  use  the  notation  of  [3] 
for  this  held:  Ft,  where  k  =  pn.)  If  a  positive  integer  m  is  a  factor  of  n,  then  GF(pm)  is  a 

subfield  of  GUP")- 

The  simplest  example  is  GF( 2)  =  {0, 1}  with  the  usual  addition  and  multiplication  except 
1  ©  1  =  0;  this  is  also  called  arithmetic  modulo  2.  Note  that  in  this  held,  each  element  is 
its  own  additive  inverse,  so  subtraction  is  the  same  as  addition.  This  is  true  for  all  helds 
GF[2k)  of  characteristic  2. 

Another  example  that  will  be  important  later  is  GF( 22),  whose  elements  will  be  labeled 
{0, 1,  G,  T}.  The  operations  are  dehned  by  the  tables  below: 


Note  that  if  we  swap  the  names  Q  and  T  everywhere,  we  get  exactly  the  same  operations, 
i.e.,  the  same  held.  Also  note  that  GF( 22)  contains  the  subheld  GF( 2)  =  {0, 1}. 

There  are  several  different  ways  to  look  at  a  Galois  held.  An  element  a  of  GF(p")  is 
called  primitive  if  all  its  powers  are  different:  a0  7^  a1  7^  a2  7^  •  •  •  7^  apn~2 .  (For  any  nonzero 
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element  b  then  fep"-1  =  1;  for  any  element  b  then  6P"  =  b.)  Hence  the  powers  of  a  primitive 
element  give  all  the  nonzero  elements  of  GF(pn ) .  Every  finite  held  has  at  least  one  primitive 
element,  so  one  way  to  look  at  the  held  is  in  terms  of  powers  of  that  element.  For  example, 
in  GF( 22),  ff  is  a  primitive  element:  1  =  0°,  O  =  ff1,  =  ff2.  This  viewpoint  makes 
multiplication  easy:  add  the  exponents  modulo  pn  —  1.  But  then  addition  is  less  obvious. 

Another  viewpoint  involves  polynomials,  in  some  variable  x,  with  coefficients  in  GF(p ); 
these  are  called  polynomials  over  GF(p).  Each  element  of  GF(p")  can  be  considered  a  poly¬ 
nomial  over  GF(p),  of  degree  less  than  n.  Then  addition  just  means  adding  the  coefficients 
modulo  p.  Multiplication  must  be  done  modulo  some  specihed  polynomial  q(x) ,  of  degree  n, 
with  leading  coefficient  equal  to  1;  also  q(x )  must  be  irreducible ,  which  means  it  is  not  the 
product  of  two  polynomials  of  lower  order. 

For  example,  in  GF( 22)  the  only  choice  for  q(x)  is  x2  +  x  +  1  (because  the  others  factor: 
x2  =  x*x,  x2  +  x  =  x*(x  +  l),  x2  +  l  =  (x  +  l)*(x  +  l);  remember  the  coefficient  arithmetic  is 
modulo  2).  Then  we  could  think  of  GF( 22)  as  {0,  l,x,  x  +  1}  where  x<g)x  =  ( x 2  modulo  q)  = 
x2  ©  ( x 2  +  x  +  1)  =  x  +  1,  and  similarly  x  0  (x  +  1)  =  (x2  ©a:)  ©  (x2  +  x  +  1)  =  1  and 
(x  +  1)  0  (x  +  1)  =  (x2  +  1)  ©  (x2  +  X  +  1)  =  X. 

This  polynomial  viewpoint  makes  more  sense  if  we  think  of  the  variable  x  as  being  a  root 
of  the  polynomial,  so  q(x)  =  0.  Then  adding  or  subtracting  multiples  of  q(x)  is  just  adding 
zero.  In  the  first  representation  of  GF( 22),  note  that  hi2  ©  (ff  ©  1)  =  T  ©  =  0,  so  we  could 

identify  x  =  12.  Alternatively,  we  could  identify  x  =  T  (switching  the  names  as  before),  the 
other  root. 

Another  viewpoint  is  that  the  held  GF(pn)  is  a  vector  space  of  dimension  n,  with  vector 
addition  ©  and  multiplication  by  scalars  in  GF(p)  (i.e.,  modulo  p) .  (The  vector  viewpoint 
is  convenient  for  choosing  a  representation,  but  does  not  fully  reflect  the  multiplication 
operation  ®.)  Then  any  n  linearly  independent  elements  {6i ,  62,  •  •  • ,  bn}  of  GF(pn)  gives  a 
basis,  and  we  can  indicate  any  element  a  by  its  list  of  coefficients  with  respect  to  this  basis: 
if  a  =  ci  ®  bi  ©  C2  62  ©  •  •  •  ©  cn  ®  bn  (with  each  c*  G  GF(p))  then  a  is  represented  by  the  list 
of  numbers  [c\,  C2, . . . ,  cn].  For  small  p  this  list  commonly  is  written  as  digits  in  positional 
notation:  C1C2  . . .  cn. 

For  example,  the  polynomial  viewpoint  for  GF( 22),  with  x  =  Q,  corresponds  to  using  the 
ordered  basis  [ff1,  ff0];  this  is  called  a  polynomial  basis.  Using  this  basis:  0  =  Off1  ©Off0  =  00, 
1  =  Oh!1  +  Iff0  =  01,  ff  =  Iff1  +  Off0  =  10,  T  =  Iff1  +  Iff0  =  ll.  This  defines  a  held  of  2-bit 
binary  numbers  (where  ©  is  bitwise  exclusive-or) ,  where  for  example  11  ©  11  =  10. 

But  different  choices  of  basis  are  also  possible.  Another  type  of  basis  with  convenient 
properties  is  called  a  normal  basis,  of  the  form  {bp  ,bp  , ,  bpn  },  where  the  element  b  of 
GF(pn )  must  be  chosen  to  make  that  set  of  powers  linearly  independent.  (One  nice  property 
is  that  an  isomorphism  [name  change]  on  the  held  has  the  same  effect  as  rotating  this  list  of 
basis  elements.) 

Using  the  ordered  normal  basis  [ff2  ,  ff2  ]  =  [©,  ff]  for  GF( 22)  gives  the  correspondence 
0  =  0T  +  Off  =  00,  1  =  W  +  Iff  =  11,  ff  =  0T  +  Iff  =  01,  T  =  IT  +  Off  =  10.  This  gives 
a  different  2-bit  representation  of  GF( 22);  addition  ©  is  still  bitwise  exclusive-or,  but  now 
for  example  11  ®  11  =  11.  So  in  one  sense  this  is  a  different  held,  but  it  has  exactly  the 
same  structure  as  the  previous  version,  only  the  names  have  been  changed  to  confuse  the 
innocent. 

The  polynomial  representation  idea  can  be  generalized.  For  any  finite  held  F  (of  char- 
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acteristic  p )  containing  a  snbfield  S,  where  S  is  of  order  r  =  pf  and  F  is  of  order  rk  =  p7  , 
then  the  elements  of  F  can  be  represented  as  polynomials  of  degree  less  than  k,  with  co¬ 
efficients  in  S  (i.e.,  polynomials  over  S ).  We  notate  this  view  of  the  held  as  F/S  (read  as 
F  “over”  S).  Again,  addition  just  means  adding  the  coefficients  in  S,  and  multiplication  is 
done  modulo  some  polynomial  q(x),  of  degree  k.  The  coefficients  of  q(x)  also  belong  to  S, 
with  the  leading  coefficient  equal  to  1,  and  q{x)  must  be  irreducible  over  S  (no  element  of 
S'  is  a  root).  For  example,  the  elements  of  GF( 56)  can  be  represented  as  polynomials  of  the 
form  C2X2  +  c\x  +  Co,  with  all  the  c*  e  GF(52),  modulo  the  polynomial  q(x)  =  x3  +  x2  +  x  +  3, 
which  is  irreducible  over  GF(52). 

Since  the  names  of  the  elements  of  GF(pn )  change  with  choice  of  representation,  we 
might  wonder  if  the  elements  have  certain  properties  that  are  independent  of  representation, 
a  sort  of  identification.  One  such  property  is  the  minimal  polynomial  (over  GF(p ))  of  a  given 
element  a.  This  is  the  irreducible  polynomial  of  smallest  degree,  with  coefficients  in  GF(p) 
and  leading  coefficient  =  1,  having  a  as  a  root.  The  degree  m  of  the  minimal  polynomial  is 
always  <  n,  and  that  minimal  polynomial  has  m  distinct  roots  in  GF(pn).  Elements  with  the 
same  minimal  polynomial  are  called  conjugates ;  if  one  of  them  is  a  then  the  m  conjugates  are 
{a,  ap,ap  , . . . ,  aP"‘  }.  Each  isomorphism  of  GF(pn )  corresponds  to  replacing  each  element  b 
by  If  (for  some  integer  k),  and  so  in  effect  rotates  each  set  of  conjugates.  For  any  primitive 
element,  the  minimal  polynomial  is  called  a  primitive  polynomial  and  has  degree  n.  (Note 
that  a  normal  basis  is  a  set  of  n  distinct  conjugates.)  In  GF( 22)  for  example,  the  minimal 
polynomial  for  0  is  x,  that  for  1  is  x  +  1,  and  the  one  for  and  T  is  x2  +  x  +  1  (they  are 
conjugate  primitive  elements). 

Again,  these  ideas  can  be  extended  to  elements  of  F  —  GF(pn)  as  polynomials  over  any 
subheld  S  of  order  r  =  jF,  where  n  =  jk  for  some  k,  so  F  is  of  order  rk.  Then  each  element  a 
of  F  has  a  minimal  polynomial  over  S,  of  degree  m  <  k,  with  m  distinct  roots  in  F,  and  the 
m  conjugates  of  a  over  S  are  {a,  ar,  ar  , . . . ,  a”"1  }.  Also  F/S  is  a  vector  space  of  dimension 
k  over  S,  and  a  normal  basis  is  a  set  of  k  distinct  conjugates. 

The  trace  of  a  over  S  is  then  defined  as 

Trp/s(a)  =  a  +  ar  +  ar  +  . . .  +  ar 


and  the  norm  is  defined  as 


N F/s(a)  =  a  •  ar  ■  ar*  •  . . .  •  a ^ 

(If  the  minimal  polynomial  of  a  is  of  degree  k,  then  the  trace  is  the  sum  of  the  conjugates 
and  the  norm  is  the  product  of  the  conjugates.)  It  turns  out  that  both  the  trace  and  the 
norm  are  always  elements  of  the  subheld  S.  For  example,  in  GF( 22)/  GF( 2),  both  the  trace 
and  the  norm  of  hi  are  1. 

This  brief  introduction  to  Galois  helds  only  covers  the  points  relevant  to  the  algorithm 
below.  A  nice,  succinct  introduction  is  given  in  [4];  for  more  depth  and  rigor,  see  [3]. 

3  S-box  Algorithm 

The  S-box  function  of  an  input  byte  a  is  dehned  by  two  substeps: 
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1.  Inverse:  Let  c  =  a  ,  the  multiplicative  inverse  in  GF( 28)  (except  if  a  =  0  then  c  =  0). 

2.  Affine  Transformation:  Then  the  output  is  s  =  Me®  b,  where  M  is  a  specified  8x8 
matrix  of  bits,  b  is  a  specified  byte,  and  the  bytes  c,  b,  s  are  treated  as  vectors  of  bits. 
More  explicitly: 
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0 
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1 
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0 
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1) 

v  c0  y 
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where  bit  ff  7  is  the  most  significant  and  all  bit  operations  are  modulo  2. 

The  second  substep  is  affine  (linear  plus  a  constant)  and  easy  to  implement;  the  algorithm 
for  the  first  substep,  hireling  the  inverse,  is  described  below. 

The  AES  algorithm  uses  the  particular  Galois  held  of  8-bit  bytes  where  the  bits  are 
coefficients  of  a  polynomial  (i.e.,  a  polynomial  basis),  and  multiplication  is  modulo  the 
irreducible  polynomial  q(x)  =  x8  +  x4  +  x3  +  x  +  1.  (A  9-bit  binary  representation  is  q(x)  = 
100011011;  this  is  the  “smallest”  irreducible  polynomial  of  degree  8  over  GF( 2),  in  the  sense 
of  comparing  the  binary  number  representations.)  Let  A  be  one  root  of  qfx );  we  will  think  of 
the  polynomial  basis  as  [A7 ,  A6,  A5,  A4,  A3,  A2,  A,  1],  It  turns  out  that  A  =  00000010  is  not  a 
primitive  element,  but  A  +  1  =  00000011  is;  we  call  it  B.  ( B  is  a  root  of  the  second  smallest 
irreducible  polynomial:  100011101;  see  Table  D.3  for  more  details.)  Some  implementations 
of  AES  use  logarithm  and  antilogarithm  tables,  base  B  (as  shown  in  Appendix  D),  for  finding 
inverses  and  products  in  GF( 28).  In  particular,  A  =  B25.  (Note:  we  will  use  Roman  letters 
for  specihc  elements  of  GF( 28),  lowercase  Greek  letters  for  elements  of  GF( 24),  and  uppercase 
Greek  letters  for  GF( 22);  the  naming  scheme  is  summarized  in  Table  D.3.) 

Direct  calculation  of  the  inverse  (modulo  an  eighth-degree  polynomial)  of  a  seventh- degree 
polynomial  is  not  easy.  But  calculation  of  the  inverse  (modulo  a  second-degree  polynomial) 
of  a  hrst-degree  polynomial  is  relatively  easy,  as  pointed  out  by  Rijmen  [10].  This  suggests 
the  following  changes  of  representation. 

First,  we  use  the  isomorphism  between  GF( 28)  and  GF( 28)/ GF( 24)  to  represent  a  general 
element  g  of  GF( 28)  as  a  polynomial  (in  y)  over  GF( 24),  of  degree  1  or  less,  as  g  =  71  y  +  70, 
with  multiplication  modulo  an  irreducible  polynomial  r(y)  =  y2  +  ry  +  v.  Here,  all  the 
coefficients  are  in  GF( 24).  Then  the  pair  [71,70]  represents  g  in  terms  of  a  polynomial 
basis  [Y,  1]  where  Y  is  one  root  of  r(y).  Of  course,  we  are  free  to  use  any  basis  for  this 
representation,  for  example  the  normal  basis  [F16,F].  Note  that 

r(y)  =  y2  +  ry  +  v  =  (y  +  Y)(y  +  F16) 

so  r  =  TrF256/Fl6(y)  is  the  trace  and  v  =  NF256/Fl6(F)  is  the  norm  of  Y . 

Second,  using  GF(24) / GF{22)  we  can  similarly  represent  GF( 24)  as  linear  polynomials 
(in  z)  over  GF( 22),  as  7  =  T\z  +  Tq,  with  multiplication  modulo  an  irreducible  polynomial 
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s(z)  =  z2  +  Tz  +  N,  with  all  the  coefficients  in  GF( 22).  Again,  this  uses  a  polynomial  basis 
[Z,  1]  for  GF( 24)/ GF{ 22),  where  Z  is  one  root  of  s(z).  We  could  use  any  basis,  such  as  the 
normal  basis  [Z4,  Z\.  And  for  the  same  reasons  above,  T  =  TrFl6 /F4 (Y)  is  the  trace  and 
N  =  NFl6/F4(Y)  is  the  norm  of  Z  (considering  T  and  N  as  uppercase  Greek  for  r  and  v). 

Third  we  use  GF( 22)/  GF( 2)  to  represent  GF( 22)  as  linear  polynomials  (in  w)  over  GF( 2), 
as  T  =  giw  +  go,  with  multiplication  modulo  t(w)  =  w2  +  w  +  1,  where  g\tgo  G  {0, 1}.  This 
uses  a  polynomial  basis  [W,  1],  where  W  is  either  O  or  a  normal  basis  would  be  [W 2,  W], 
(Note  that  the  trace  and  norm  of  G  and  T  are  1.) 

This  allows  operations  in  GF( 28)  to  be  expressed  in  terms  of  simpler  operations  in  GF( 24), 
which  in  turn  are  expressed  in  the  simple  operations  of  GF( 22).  In  particular,  we  want  to 
find  the  inverse  in  GF( 28).  Say  the  inverse  of  g  =  71  y  +  y0  is  d  =  Siy  +  So-  Then  (recalling 
subtraction  is  the  same  as  addition  in  GF( 2n)) 

gd  =  (71  y  +  70)  fay  +  S0)  mod  ( y 2  +  ry  +  v) 

=  [(li&i)y2  +  (71^0  +  loSi)y  +  (70^0)]  mod  ( y 2  +  ry  +  v) 

=  [(riibi)y2  +  (71^0  +  loSi)y  +  (70^0)]  +  (71^1)  ( y 2  +  ry  +  v) 

=  (71^0  +  7o^i  +  liS\r)y  +  (70^0  +  ifav) 

=  1  =  Oy  +  1 

Solving  the  two  equations 

0  =  71^0  +  (7o  +  7iT)^i 
1  =  7o^o  +  (71  vfa 

by 

0  =  7i7o50  +  (7o  +  7i7or)^i 
7i  =  7i7o^o  +  (7i^)^i 

gives 

7i  =  {l{v  +  7i7ot  +  7o)^i 
7i^o  =  (7o  +  7ir)^i 

so  that 

<*i  =  (7i^  +  7i7or  +  7o)_1  7i 

^0  =  (7i2z/  +  7i7o^  +  7o)_1  (7o  +  7i^) 

So  finding  an  inverse  in  GF( 28)  involves  an  inverse  and  several  multiplications  in  GF( 24). 
(Addition  in  GF(24)  as  Tbit  elements,  using  any  basis,  is  just  bitwise  exclusive-or.) 
Similarly,  to  find  the  inverse  in  GF( 24)  of  7  =  Tiz  +  T0  as  S  =  A \z  +  A0,  then 


75  =  (T,  A0  -  r0A,  -  T,  A,7>  ^  ( I '0 A(»  -b  T,  A,  A) 


so 


A,  =  (r^v  +  TiToT  +  r2)-1  rx 
A0  =  (TlN  +  r.ToT  +  Tl)-1  (T0  +  r1T) 

And  to  find  the  inverse  in  GF{ 22)  of  T  =  gxw  +  g0  as  A  =  d\W  +  d0,  then 
TA  =  (gido  +  g^di  +  g\d\)w  +  (god0  +  gidi) 
so 

di  —  {di  +  9i9o  +  9o)  1  9i 
do  =  (<7i  +  9i9o  +  S'o)  1  (9o  +  ffi) 

since  both  coefficients  (trace  and  norm)  in  the  polynomial  t(w )  are  1.  This  can  be  further 
simplified  because  for  g  e  GF{ 2),  g2  =  g~l  =  g,  so 

<4  —  (<?i  +  9i9o  +  9o)  9i 

=  (9i  +  9i9o  +  9i9o ) 

= 

4  =  (<7i  +  9i9o  +  <?o)  (<70  +  <7i) 

=  (9i9o  +  9i  +  9i9o  +  9i9o  +  9o  +  fi'ifi'o) 

=  ,9i  +  9o 

Note  that  if  the  above  inversion  formulas  are  applied  to  a  zero  input  then  the  output  will 
also  be  zero,  so  that  special  case  is  handled  automatically. 

How  do  these  calculations  change  if  we  use  normal  bases  at  each  level?  In  GF( 2s),  to 
fold  the  inverse  of  g  =  71F16  +  70H  as  d  =  SiY 16  +  SqY ,  we  use  the  fact  that  both  Y  and  Y 16 
satisfy  y2  +  ry  +  v  =  0  where  r  =  Y16  +  Y  and  v  =  (YW)Y.  Then  1  =  r~1(y16  +  Y),  so: 

gd  =  (llY16  +  'y0Y)(81Y16Y80Y) 

=  (7i<b)  (F16)2  +  (7l<50  +  7o<5i)  (F16)H  +  (7o^o)^2 
=  (71^1)  (tYW  +  v)  +  (71^0  +  7o^i)^  +  (70^0  ){tY  +  u) 

=  (7i5ir)F16  +  (7o50'r)^  +  [(71^1)^  +  (71^0  +  7o^i)^  +  (70^0)^)] 

=  (7i5ir)y16  +  (7o^or)r  +  [(7l  +  7o)(51  +  5q)v}t-\Y1q  +  Y) 

=  [yiSiT  +  (71  +  7o)(<5i  +  So^t^Y16  +  [7o^  +  (71  +  7o)(£i  +  50)z/r_1]y 
=  1  =  t-\Y16  +  Y ) 

Solving  the  two  equations 

T”1  =  J1S1T  +  (71  +  7o)  (<5i  +  S0 )vr~l 
r _1  =  'foSo'r  +  (71  +  7o)  (^i  + 
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gives 


0  =  7i5i  +  7o5o 
1  =  7151t2  +  (7i<50  +  7o^i)^ 

7o  =  7i7o^2  +  (7i7o^o  +  llSi)v 
=  7i7o^i,r2  +  (7i^i  +  7o(^i)z/ 

=  [7i7or2  +  (7i  +  7o)z']^i 

so  that 

<*i  =  [7i7or2  + (7i +7o)z/]^1  7o 
So  =  hr lor2  +  hi  +  7o)z/]”1  7i 

Again,  finding  an  inverse  in  GF( 28)  involves  an  inverse  and  several  multiplications  in  GF( 24). 
Analogously,  to  find  the  inverse  in  GF( 24)  of  7  =  F\Z4  +  r0Z  as  5  =  £\\Z4  +  A0Z,  then 

75  =  [r1A1T+(r1  +  rG)(A1  +  A0)iVT'1]z4  +  [roAoT  +  (r1  +  r0)(A1  +  Ao)ivr-1]z 

so 

Ar  =  [T.To^  +  iTl  +  rDN}-1^ 

A0  =  FiToT^  +  irl  +  rDN]-1^ 

And  to  find  the  inverse  in  GF( 22)  of  T  =  g±W2  +  g0W  as  A  =  dikb2  +  d0W:  then 
TA  =  [gidi  +  (<71  +  <?o)(^i  +  ^o)]kh2  +  [,9o^o  +  (<7i  +  go){di  +  <^o)]kh 


so 


di  =  \gigo  +  gi  +  go]  go 

=  go 

do  =  \gigo  +  gi  +  go]  gi 
=  gi 

using  the  same  simplifications  as  before  in  GF( 2). 

This  shows  how  we  break  one  problem  (the  8-bit  inverse  in  GF( 28))  down  into  simpler 
problems  (Tbit  operations  in  GF( 24)),  which  can  further  be  broken  down  to  still  simpler 
problems  (2-bit  operations  in  GF( 22)  and  bit  operations  in  GF( 2)). 

4  Optimizations 

There  are  several  ways  to  reorganize  the  calculations  above  in  order  to  reduce  the  total 
operation  count  and  hence  minimize  the  circuitry  required.  Additionally,  there  is  some 
freedom  in  the  choice  of  the  coefficients  in  the  minimal  polynomials  r(y)  and  s(z)  to  give 
convenient  multipliers. 
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The  inverse  formulas  in  GF(28) /  GF(24)  would  simplify  considerably  if  we  could  choose 
r  =  0  or  v  =  0,  but  neither  choice  gives  an  irreducible  polynomial.  We  can  find  irreducible 
polynomials  with  r  =  1,  which  is  also  convenient.  This  is  better  than  choosing  v  —  1,  since 
r  appears  in  two  products  in  the  inverse  (in  the  polynomial  basis,  but  even  for  the  normal 
basis  r  =  1  turns  out  to  be  preferable).  We  can’t  choose  both  v  =  r  =  1  since  then  we  get 
the  minimal  polynomial  of  D  and  T  in  GF( 22),  a  subfield  of  GF( 24).  So  from  here  on  we  let 
r  =  1  and  similarly  let  T  =  1. 

4.1  Polynomial  Basis  Optimizations 

First  we  consider  optimizations  using  polynomial  bases.  In  GF{28) /  GF{24)  the  only  op¬ 
eration  required  is  the  inverse.  Satoh  et  al.  [12]  indicate  the  following  steps  in  inverting 
g  =  7 iy  +  7o,  where  we  return  to  the  ©,  ®  notation,  and  give  names  to  intermediate  results, 
to  clarify  the  subfield  operations  needed: 

4>  =  7i  ©  7o 

6  =  [(z/©7i)  ©  (0®  7o)]_1 

g-1  =  [0  0  7l]y  ©  [0  ©  (j)] 

(Note:  in  the  notation  of  [12],  our  v  becomes  A  and  our  N  becomes  q A)  The  operations 
required  in  the  subheld  GF( 24)/ GF{2 2)  include  an  inverter,  multipliers,  and  adders  (bitwise 
XOR). 

The  subheld  inversions  can  be  performed  similarly,  as  suggested  by  [12],  So  to  invert 

7  =  r1z  +  r0in  GF(24): 


$  —  Tx  ©  r0 

e  =  [(iv  ®  r^)  ©  ($  ®  To)]-1 

7_1  =  [0  <E>  Tx]z  +  [0  ®  4] 

And  in  GF( 22)  the  inverse  of  T  =  g±w  +  go  is  simply: 

r_1  =  [gi\w  +  [5»1  ©  go] 

The  multiplier  in  GF( 24)  given  by  [12]  hnds  the  product  jS  =  (T|  z  —  r0)(Axz  +  A0)  by 
the  steps 

$  =  To  <8>  Ao 

7 S  =  [«F  ©  (Tx  ©  T0)  ®  (Ax  ©  A0)]^  +  [$  ©  (JV  <g>  Tx  <g>  Ax)] 

Similarly  in  GF{ 22),  the  product  TA  =  ( gxw  +  g0)(diw  +  d0 )  can  be  found  by 
/  =  go  ®  d0 

TA  =  [/  ©  (gi  ©  g0)  ©  (di  ©  d0)]w  +  [/  ©  (5-1  ®  dx)] 

(where  in  GF( 2),  ©  means  AND). 
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For  further  efficiency,  multiplication  by  a  known  constant  (e.g.  v  above),  which  we  will 
call  “scaling,”  should  use  a  specialized  circuit  instead  of  a  generic  multiplier,  and  the  same 
is  true  for  squaring. 

Scaling  7  =  r^  +  Fo  in  GF( 24)  by  v  =  Aiz  +  A0  becomes  simpler  for  special  choices  of  u, 
for  example,  if  A0  =  0.  (It  is  not  possible  to  choose  A1  =  0,  because  then  r(y )  is  reducible.) 
Then 


z/7  —  [Ax  0  (Tx  ©  r0)]z  +  [(AAx)  0  r x] 

And  choosing  N  =  A^1  makes  scaling  by  v  even  simpler: 

n  =  [(7v-1)®(rx©ro)]z  +  [r1] 

In  GF{ 22),  since  N  7^  0, 1  (so  that  s(z)  =  z2  +  z  +  N  is  irreducible  over  GF{ 22)),  then 
both  N  and  N  +  1  are  roots  of  t(w)  =  w2  +  w  +  1,  and  iV-1  =  N 2  =  N  +  1.  Depending 
on  which  root  we  choose  for  the  polynomial  basis  [w,  1],  then  either  N  =  w  or  N2  =  w.  In 
either  case,  since  we  need  scalers  for  both  N  and  N 2,  this  corresponds  to  scalers  for  both  w 
and  w2,  and  scaling  becomes 

(w)  0  {gxw  +  g0)  =  [g±  ©  g0}w  +  [5-1] 

(' w 2)  0  (giw  +  go)  =  \g0]w  +  [5-0  ©  gi] 

Squaring  7  =  Tx^  ©  T0  in  GF( 24)  corresponds  to 

$  = 

7 2  =  [3>]z  +  [Fq  ©  iV  0  d>] 

Of  course,  squaring  F  =  g\w  +  go  in  the  subfield  GF( 22)  can  be  done  similarly,  using  further 
simplihcations  in  GF( 2): 

r2  =  [gi]w  +  [g0  ©  gi] 

Note  that,  in  GF( 22),  every  nonzero  element  F  satisfies  T3  =  1,  so  =  T2,  i.e.,  the  GF{22) 
inverter  is  the  same  as  the  squarer. 

Another  improvement  comes  from  combining  the  square  in  GF( 24)  with  the  scaling  by  u, 
since  it  is  only  this  combination  that  is  required  in  the  GF( 28)  inverter.  Then  for  the  choice 
of  v  above 


z/®72  =  y  0  (Txz  +  r0)2 

=  z/0([r2>  +  [r2©A0r2]) 

=  [A20(r2©(r2©A0r2))]z  +  [r2] 
=  [(N2  + 1)  0  r2  ©  n2  0  r2>  +  [r2] 

=  [N  0  r2  ©  n2  0  r2]^  +  [r2] 


In  the  subheld  GF( 22),  combining  squaring  with  scaling  by  w  gives 


(w)  0  r2 


(w)  0  (gxw  +  g0)2 
(w)  0  ([gi\w+  [g0®gi}) 
[91  ©  (go  ©  9i)]w  +  [gi] 
\go\w  +  [gi] 
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so  this  combination  is  free  (being  just  a  swap  of  two  bits)!  This  suggests  that  if  we  choose 
w  =  N,  then 

z,®72  =  [{iv  0  r2}  ©  iv  0  {n  ®  Tq}]^  +  [n2  ®  {n  0  rf }] 

performs  this  combined  operation  with  one  addition  and  two  scalings  in  the  subheld,  since 
the  operations  in  {}  are  free.  Or,  if  instead  we  choose  w  =  N 2  then 

z,®72  =  [iv2  0  {iv2  0  r2}  ©  {iv2  0  r2}>  +  [iv  0  {iv2  0  r2}] 

again  requiring  only  one  addition  and  two  scalings. 

Also,  combining  the  multiplication  in  GF( 22)  with  scaling  by  N  gives  a  small  improve¬ 
ment;  this  combination  appears  in  the  GF( 24)  multiplier.  If  TV  =  w,  for  example,  the  scaled 
product  NT  A  =  w{g\w  +  go)(diw  +  do)  becomes 

/  =  (<?i  ©  9o)  ®  (d  1  ©  do) 

NT  A  =  [f  ©  (gi  0  di)}w+  [f  ©  (g0  0  rf0)] 

so  the  scaling  is  “free.” 

4.2  Normal  Basis  Optimizations 

Analogous  optimizations  are  available  using  normal  bases,  although  the  details  change.  For 
instance,  in  GF( 22)  with  a  normal  basis  [IT2,  W]  the  squaring  operation  is  free: 

(giW2  +  g0W)2  =  g0W2  +  giW 

And  while  it  is  still  convenient  to  choose  r  =  1  and  T  —  1,  different  choices  for  v  and  N  can 
make  the  combination  of  squaring  and  scaling  in  GF( 24)  efficient.  Here  scaling  the  square 
of  7  =  T\Z4  +  T0Z  by  v  =  Ai Z4  +  A0 Z  gives 

z/®72  =  z/©{[r2©iv®(r?©r2)]z4  +  [r2©A®(r2  +  r2)]z} 

=  [Ax  ®  (r2  ©  n  ®  (r2  ©  r2))  +  n(a1  +  a0)  0  (r2  ©  r  20)]z4 

+  [A0  0  (r2  ©  n  0  (r2  ©  r2))  +  n(a1  +  a0)  0  (r2  ©  r  20)]z 

=  [(Ax  +  iVA0)  0  r2  ©  (NA0)  0  T20]Z4  +  [(AAx)  0  T2  ©  (A0  +  NAJ  0  T20]Z 

This  can  be  made  more  efficient  by  choosing,  for  example,  Ax  =  iVA0,  giving 

z/©72  =  [(ArA0)  0  Tq]Z4  +  [(iVAx)  0  T2  ©  (A0  +  iVAx)  0  Tq]Z 
=  l(NA0)  0  T20\Z4  +  [(iV2A0)  0  T2  ©  ((iV2  +  1)A0)  0  T20\Z 

=  [(NA0)  0  r20\z4  +  [(iv2A0)  0  r2  ©  (na0)  0  r2]z 

which  again  requires  only  two  scalings  and  an  addition  (note  the  common  sub-expression), 
since  squaring  is  free.  Also,  it  is  possible  to  choose  Ao  =  N~4  to  save  one  scaling. 

The  top  level  inversion,  of  g  =  71F16  +  7o Y  in  GF( 28),  can  be  done  by 

6  =  [{zz0  (71  ©7o)2}  ©  (7i  ®7o)]-1 
g1  =  [6>0  7q]F16  +  [6*0  7x]F 
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Similarly,  7  =  F\ZA  +  r0Z  in  GF( 24)  is  inverted  by 

0  =  [n®  (rx  ®  r0)2  ®  (rx  ®  To)]-1 
y1  =  [0®ro]z4  +  [e®rjz 

where  in  GF( 22)  inversion  is  the  same  as  squaring,  which  is  free. 

In  GF( 24)  the  product  7$  =  (I \ZA  +  r02’)(A1Z4  +  A0 Z)  is  found  by 

$  =  N®  (Id  ®r0)  ®  (Aj.  0  A0) 

75  =  [$  ©  (rx  0  ax)]z4  +  [$  0  (r0  ®  a0)]z 

And  in  GF{ 22),  the  product  TA  =  (gikb2  +  g0W)(diW2  +  d0W )  corresponds  to 

/  =  (fid  ©  9o)  ®  (di  ©  do) 

TA  =  [/®(^i®di)]iy2  +  [/©(^o®do)]iy 

Scaling  in  GF( 22)  is  accomplished  by 

(hh)®  (^hh2  +  (7ohh)  =  ^i©^o]hh2  +  [5l]iy 

(W2)®^2©^)  =  [g0}W2  +  [g0®gi}W 

At  this  level  of  optimization,  the  smallest  GF( 28)  inverter  using  normal  bases  turns  out 
to  use  exactly  the  same  number  of  gates  as  the  smallest  polynomial  version.  However,  this 
does  not  account  for  further  optimizations  from  common  subexpressions  (discussed  below), 
nor  for  the  change  in  representation  (basis)  required  on  entering  and  leaving  the  S-box. 

4.3  Mixing  Basis  Types 

There  is  no  reason  why  the  three  bases,  for  GF( 28),  GF( 24),  and  GF( 22),  should  all  be 
polynomial  bases  or  all  be  normal  bases;  one  is  free  to  choose  either  type  of  basis  at  each 
level.  (Of  course,  one  could  choose  other  types  of  basis  at  each  level,  but  both  polynomial 
and  normal  bases  have  structure  that  leads  to  efficient  calculation,  which  is  lacking  in  other 
bases.)  We  have  seen  that  the  inverters  in  GF( 28)  for  both  types  of  basis  require  the  same 
number  and  type  of  operations  in  GF( 24),  and  similarly  for  the  inverters  in  G'F(24).  The 
multipliers  also  use  the  same  operations  for  both  types  of  bases;  the  same  is  true  for  the 
scalers  in  GF{ 22). 

In  GF( 22),  squaring  is  free  with  a  normal  basis,  while  the  combination  w®T2  is  free  with 
a  polynomial  basis.  Since  the  GF( 24)  inverter  needs  one  GF( 22)  inverter  (same  as  squaring) 
and  one  combo  N  ®  T2,  then  as  long  a,s  N  =  w  this  gives  no  preference  for  either  type  of 
basis. 

The  main  differences  then  are  in  the  combined  squaring-scaling  operation  required  by 
the  GF( 28)  inverters:  u  ®  y2.  The  details  vary  for  the  calculations  this  operation  requires  in 
GF( 22),  depending  on  the  basis  types  and  the  relations  between  u,  N,  z,  and  w.  The  tables 
below  summarize  all  the  different  cases. 
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Coefficients:  Polynomial  GF( 24)  Basis 

XOR  Gates 

v  = 

Cz  +  D 

v  ®  (Az  +  B)2  = 

[(CN2  +  D)A2  +  CB2}z  +  [{C  +  D)N  A2  +  DB2} 

poly.  GF{ 22) 

norm. 

GF{22) 

w  =  N 

w  =  N2 

N 

0 

A2  ®N®B2 

N2®  A2 

4 

5 

4 

N2 

0 

N®A2®N2®B 2 

A2 

4 

5 

4 

N 

N 

N2®A2®N®B 2 

N  ®  B2 

3 

4 

4 

N2 

N 2 

A2®N 2  ®  B  2 

N2®B2 

4 

4 

3 

N 

1 

N®B2 

(A  ©  B)2 

3 

5 

3 

N2 

N 

N2®B 2 

N®(A®B)2 

3 

4 

4 

N 

N2 

N®(A®B)2 

N  ®  (A®  B)2  ©  B2 

5 

7 

5 

N2 

1 

N2®(A  ©  B)2 

N2®{A®B)2®N®B2 

5 

6 

6 

Coefficients:  Normal  GF( 24)  Basis 

XOR  Gates 

v  = 

CzA  +  Dz 

v  ®  (Az4  +  Bz)2  = 

[< CA2+DN(A2+B2)]z 4  +  [ CN(A2+B2)+DB2}z 

poly.  GF(22) 

norm. 
GF(  22) 

w  =  N 

w  =  N 2 

N 

0 

N  ®  A2 

N2  ®  (A®  B)2 

3 

4 

4 

0 

N 

N2  ®  (A®  B)2 

N  ®  B2 

3 

4 

4 

N2 

0 

N2  ®  A2 

(A  ©  B)2 

4 

4 

3 

0 

N2 

(A  ®  B)2 

N2  ®  B2 

4 

4 

3 

N 

1 

N  ®B2 

N2  ®  A2  ®  N  ®  B2 

3 

4 

4 

1 

N 

N  ®  A2®  N2®B2 

N  ®  A2 

3 

4 

4 

N2 

1 

A2®N®B 2 

A2 

3 

5 

3 

1 

N2 

B2 

N®A2®B 2 

3 

5 

3 

The  first  table  is  for  a  polynomial  basis  in  GF( 24);  the  second  is  for  a  normal  basis.  The 
first  two  columns  show  the  coefficients  of  v  in  terms  of  N,  which  depends  on  the  bases  for 
GF( 24)  and  GF( 22).  (All  eight  possibilities  are  shown  for  both  tables,  although,  due  to  the 
symmetry  of  normal  bases,  the  second  table  essentially  has  only  four  cases,  each  shown  two 
ways.)  The  next  two  columns  show  the  coefficients  of  u®^f2  that  need  to  be  calculated;  each  is 
expressed  in  a  form  to  suggest  a  compact  calculation.  The  last  three  columns  show  the  total 
number  of  XOR  gates  required  for:  a  polynomial  basis  for  GF( 22)  with  w  =  N;  a  polynomial 
basis  for  GF( 22)  with  w  =  N 2;  or  a  normal  basis  for  GF( 22).  Note  that  addition  in  GF( 22) 
uses  two  XOR’s  while  scaling  uses  one.  These  numbers  incorporate  taking  advantage  of 
whichever  calculation  is  free  in  the  particular  GF( 22)  basis,  and  include  this  adjustment:  for 
a  polynomial  basis  in  GF( 22)  with  w  =  N2,  add  one  since  the  N  ®  T2  in  the  inverter  requires 
a  scaling. 

Altogether,  85  XOR’s  and  36  AND’s  are  needed  for  the  rest  of  the  calculation,  so  the 
inverter  could  include  from  88  to  92  XOR’s  (excluding  common  subexpression  optimizations 
below),  depending  on  basis  choice.  This  does  not  account  for  the  gates  needed  to  change 
between  representations  (bases)  on  entering  and  exiting  the  S-box.  Since  there  is  only  a 
difference  of  4  XOR’s  between  the  smallest  and  largest  inverter  that  incorporate  the  above 
optimizations,  the  change  of  basis  can  play  an  important  role. 
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4.4  Common  Subexpressions 

A  further  level  of  optimization  comes  from  finding  subexpressions  that  appear  more  than 
once  in  the  above  hierarchical  view  of  the  inverter.  Each  of  these  common  subexpressions 
need  only  be  computed  once,  thus  reducing  the  size  of  the  inverter. 

As  [12]  mentions,  one  place  this  occurs  is  when  the  same  factor  is  input  to  two  different 
multipliers.  Each  multiplier  needs  the  sum  of  the  high  and  low  halves  of  each  factor,  so 
a  shared  factor  saves  one  addition  in  the  subfield.  For  example,  a  2-bit  factor  shared  by 
two  GF( 22)  multipliers  saves  one  XOR.  Moreover,  since  each  GF( 24)  multiplier  includes 
three  GF( 22)  multipliers,  then  a  shared  4-bit  factor  implies  three  corresponding  shared  2-bit 
factors.  So  each  shared  4-bit  factor  saves  five  XOR’s  (one  2-bit  addition  and  three  1-bit 
additions). 

The  polynomial-basis  inverters  for  GF( 2s)  and  GF( 24)  each  have  two  different  factors 
that  are  each  shared  between  two  multipliers  (which  appeared  as  (j)  and  9  in  GF( 24),  $  and 
0  in  GF( 22)).  However,  each  of  the  corresponding  normal-basis  inverters  share  all  three 
factors  among  the  three  multipliers  (called  9,  71  and  70  in  GF( 24),  and  0,  1A  and  T0  in 
GF( 22)).  This  gives  a  significant  advantage  to  using  a  normal  basis  in  GF( 28),  since  the 
additional  shared  factor  in  the  GF( 28)  inverter  saves  five  more  XOR’s. 

Another  place  to  look  is  in  the  GF( 24)  square-scale  combination.  It  turns  out  that,  of 
the  36  variations  in  the  tables  (page  15),  a  repeated  sum  of  two  bits  can  be  found  in  10  cases 
(all  with  polynomial  GF( 24)  bases),  saving  one  XOR. 

A  more  subtle  saving  occurs  in  the  GF( 24)  inverter.  There  are  essentially  6  versions, 
depending  on  the  types  of  basis  for  GF( 24)  and  GF( 22),  and  for  a  polynomial  GF( 22)  basis 
whether  N  =  w  or  N  =  w2.  Each  case  can  be  improved  by  at  least  one  XOR,  and  in 
two  cases,  by  two  XOR’s.  These  improvements  all  involve  bit  sums  computed  for  common 
factors  being  combined  with  some  other  operations,  but  the  details  vary  from  case  to  case. 
For  example,  with  both  bases  polynomial,  combining  the  GF( 22)  inverter  with  finding  the 
sum  of  its  output  bits  (it’s  a  shared  factor)  saves  one  XOR.  Or  for  both  normal  bases, 
combining  the  sum  of  the  high  and  low  inputs  and  the  following  square-scale  operation  with 
the  bit  sums  of  the  high  and  low  inputs  (shared  factors)  again  saves  one  XOR. 

The  last  optimization  occurs  in  the  GF( 28)  inverter,  combining  the  bit  sums  for  shared 
input  factors  with  parts  of  the  square-scale  operation.  Again  the  details  vary  with  the 
specifics  of  the  basis  choices.  All  36  versions  with  a  normal  GF( 28)  basis  were  examined  (the 
others  have  a  5  XOR  handicap),  and  also  the  all-polynomial  version  corresponding  to  the 
bases  in  [12],  for  comparison.  The  resulting  improvement  ranges  from  three  to  five  XOR’s: 
for  most  cases  (23)  it  was  three,  for  a  dozen  cases  it  was  four,  and  it  was  five  in  only  two 
cases. 

While  all  these  additional  optimizations  apply  differently  to  the  various  basis  choices, 
they  tend  to  make  the  various  versions  more  similar  in  size,  with  one  exception:  the  extra 
shared  factor  in  the  normal  GF( 28)  inverter  gives  an  advantage  of  five  XOR’s.  Hence  those 
cases  using  a  polynomial  basis  for  GF( 28)  are  effectively  uncompetitive.  The  smallest  (prior 
to  these  optimizations)  inverter  saves  15  +  3  XOR’s  in  shared  factors,  1  more  in  the  GF( 24) 
inverter,  and  3  more  in  the  GF( 28)  inverter,  giving  a  total  size  of  66  XOR’s  and  36  AND’s. 
(The  bases  of  [12]  give  an  inverter  with  73  XOR’s.) 

The  following  tables  show  the  size  of  the  inverter  when  all  of  these  optimizations  have 
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been  applied;  in  addition  to  the  number  of  XOR’s  shown,  each  inverter  includes  36  AND’s. 


Poly. 

XOR  Gates 

v  = 

Cz  +  D 

poly.  GF( 22) 

norm. 

GF{22) 

w  =  N 

w  =  N2 

N 

0 

67 

67 

67 

N2 

0 

67 

67 

67 

N 

N 

67 

67 

67 

N2 

N2 

67 

67 

67 

N 

1 

67 

67 

67 

N2 

N 

67 

67 

67 

N 

N2 

68 

68 

67 

N 2 

1 

67 

68 

67 

Norm. 

XOR  Gates 

v  = 

CzA  +  Dz 

poly.  GF(22) 

norm. 

GF[22) 

w  =  N 

w  =  N2 

N 

0 

66 

66 

66 

0 

N 

66 

66 

66 

N2 

0 

66 

66 

66 

0 

N2 

66 

66 

66 

N 

1 

66 

66 

66 

1 

N 

66 

66 

66 

N 2 

1 

66 

66 

66 

1 

N2 

66 

66 

66 

The  first  table  is  for  a  polynomial  GF( 24)  basis,  the  second  for  a  normal  GF( 24)  basis;  both 
tables  assume  a  normal  basis  for  GF( 28),  for  the  extra  shared  Tbit  factor.  It  is  apparent  that 
these  low-level  optimizations  tend  to  even  out  the  differences  expected  from  the  square-scale 
operation  (compare  with  the  tables  on  page  15).  Using  a  polynomial  GF( 24)  basis  costs 
at  least  one  XOR  (one  less  shared  2-bit  factor),  and  a  few  cases  cost  one  more.  Because 
the  variation  in  the  inverter  size  is  so  small,  the  cost  of  changing  between  the  standard 
representation  and  the  S-box  basis  will  be  decisive. 

5  Choices  of  Representation 

This  algorithm  involves  several  related  representations,  or  isomorphisms,  of  Galois  Fields. 
First,  GF( 28)  is  considered  as  the  set  of  bytes  with  the  polynomial  basis  implied  by  the 
irreducible  polynomial  q{x)  =  x8  +  a:4-l-a:3-l-a;-|-l.  Then  GF( 28)/ GF( 24)  is  also  considered  as 
polynomials  with  coefficients  in  GF( 24),  based  on  the  irreducible  polynomial  r(y)  =  y2+y+p. 
Similarly,  GF{ 24)/ GF( 22)  uses  a  basis  implied  by  the  irreducible  polynomial  s(z)  =  z2+z+N, 
and  GF{ 22)/ GF( 2)  uses  a  root  of  t(w)  —  w2  +  w  +  1.  So  each  byte  of  information  has  two 
forms:  the  standard  AES  form  (polynomial  basis  in  8  powers  of  A),  and  the  subheld  form 
in  GF(28) / GF(2A)  as  a  pair  of  Tbit  coefficients,  each  being  (in  GF(24)  /  GF(22))  a  pair  of 
two-bit  coefficients,  which  in  turn  are  coefficients  in  the  basis  for  GF( 22). 

One  approach  to  using  these  two  forms,  as  suggested  by  [11],  is  to  convert  each  byte  of  the 
input  block  once,  and  do  all  of  the  AES  algorithm  in  the  new  form,  only  converting  back  at 
the  end  of  all  the  rounds.  Since  all  the  arithmetic  in  the  AES  algorithm  is  Galois  arithmetic, 
this  would  work  fine,  provided  the  key  was  appropriately  converted  as  well.  However,  the 
MixColumns  step  involves  multiplying  by  constants  that  are  simple  in  the  standard  basis  (2 
and  3,  or  A  and  A  +  1),  but  this  simplicity  is  lost  in  the  subheld  basis.  For  example,  scaling 
by  2  in  the  standard  basis  takes  only  3  XOR’s;  the  most  efficient  normal-basis  version  of 
this  scaling  requires  18  XOR’s.  Similar  concerns  arise  in  the  inverse  of  MixColumns ,  used  in 
decryption.  This  extra  complication  more  than  offsets  the  savings  from  delaying  the  basis 
change  back  to  standard.  Then,  as  in  [12],  the  affine  transformation  can  be  combined  with 
the  basis  change  (see  below).  For  these  reasons,  it  is  most  efficient  to  change  into  the  subheld 
basis  on  entering  the  S-box  and  to  change  back  again  on  leaving  it. 
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Each  change  of  basis  is  in  effect  multiplication  by  an  8  x  8  bit  matrix.  Letting  X  refer 
to  the  matrix  that  converts  from  the  subheld  basis  to  the  standard  basis,  then  to  compute 
the  S-box  function  of  a  given  byte,  first  we  do  a  bit-matrix  multiply  by  X"  1  to  change  into 
the  subheld  basis,  then  calculate  the  Galois  inverse  by  subheld  arithmetic,  then  change  basis 
back  again  by  another  bit-matrix  multiply,  by  X.  But  this  is  followed  directly  by  the  affine 
transformation  (substep  2),  which  includes  another  bit-matrix  multiply,  by  the  constant 
matrix  M.  (This  can  be  regarded  another  change  of  basis,  since  M  is  invertible.)  So  we  can 
combine  the  matrices  into  the  product  MX  to  save  one  bit-matrix  multiply,  as  pointed  out 
by  [12].  Then  adding  the  constant  b  completes  the  S-box  function. 

The  inverse  S-box  function  is  similar,  except  the  XOR  with  constant  b  comes  hrst,  followed 
by  multiplication  by  the  bit  matrix  (MI)'1.  Then  after  finding  the  inverse,  we  convert  back 
to  the  standard  basis  through  multiplication  by  the  matrix  X. 

For  each  such  constant-matrix  multiply,  the  gate  count  can  be  reduced  by  “factoring  out” 
combinations  of  input  bits  that  are  shared  between  different  output  bits  (rows).  One  way  to 
do  this  is  known  as  the  “greedy  algorithm,”  where  at  each  stage  one  picks  the  combination  of 
two  input  bits  that  is  shared  by  the  most  output  bits;  that  combination  is  then  pre-computed 
in  a  single  (XOR)  gate,  which  output  effectively  becomes  a  new  input  to  the  remaining  matrix 
multiply.  The  greedy  algorithm  is  straightforward  to  implement,  and  generally  gives  good 
results. 

But  the  greedy  algorithm  may  not  End  the  best  result.  We  used  a  brute-force  “tree 
search”  approach  to  Ending  the  optimal  factoring.  At  each  stage,  each  possible  choice  for 
factoring  out  a  bit  combination  was  tried,  and  the  next  stage  examined  recursively.  Actually, 
some  “pruning”  of  the  tree  is  possible,  when  the  bit-pair  choice  in  the  current  stage  is 
independent  of  that  in  the  calling  stage  and  had  been  checked  previously.  Appendix  C  gives 
the  C  program. 

This  method  is  guaranteed  to  find  the  minimal  number  of  gates;  the  drawback  is  that 
one  cannot  tell  how  long  it  will  take,  due  to  the  combinatorial  complexity  of  the  algorithm. 
For  example,  running  on  an  Intel  Xeon  processor  under  Linux  (without  “pruning”),  one 
particular  8x8  matrix  took  over  2  weeks,  while  many  others  took  a  fraction  of  a  microsecond. 
(However,  many  of  the  matrices  that  took  very  long  times  had  already  been  ruled  poor 
candidates  by  the  greedy  algorithm,  and  could  have  been  skipped.) 

Using  the  “merged”  S-box  and  inverse  S-box  of  [12]  complicates  this  picture,  but  reduces 
the  hardware  required  overall  when  both  encryption  and  decryption  are  needed.  There,  a 
block  containing  a  single  GF( 28)  inverter  can  be  used  to  compute  either  the  S-box  function 
or  its  inverse,  depending  on  a  selector  signal.  Given  an  input  byte  a,  both  X-1  a  and 
(MX)-1  (a+b)  are  computed,  with  the  first  selected  for  encryption,  the  second  for  decryption. 
That  selection  is  input  into  the  inverter,  and  from  the  output  byte  c,  both  (MX)  c  +  b  and 
X  c  are  computed;  again  the  first  is  selected  for  encryption,  the  second  for  decryption. 

With  this  merged  approach,  these  basis-change  matrix  pairs  can  be  optimized  together, 
considering  X-1  and  (MX)-1  together  as  a  16  x  8  matrix,  and  similarly  (MX)  and  X,  each 
pair  taking  one  byte  as  input  and  giving  two  bytes  as  output.  (Then  (MX)-1  (a  +  b)  must 
be  computed  as  (MX)-1  a  +  [(MX)-1  b\.)  Combining  in  this  way  allows  more  commonality 
among  rows  (16  instead  of  8)  and  so  yields  a  more  compact  “factored”  form.  Of  course,  this 
also  means  the  “tree  search”  optimizer  has  a  much  bigger  task  and  longer  run  time.  (Note: 
this  is  what  actually  induced  our  development  of  the  “pruning”  strategy,  which  typically 
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gives  a  speedup  factor  of  10  to  20  times  faster,  enough  to  make  full  optimization  feasible.) 

The  additive  constant  b  of  the  affine  transformation  (or  (MX)-1  b  for  decryption),  being 
an  exclnsive-OR  with  a  known  constant,  just  requires  negating  specific  bits  of  the  output 
of  the  basis  change.  (Actually,  since  the  multiplexors  we  use  are  themselves  negating,  it  is 
the  bits  other  than  those  in  b  that  need  negating  first.)  In  most  cases,  this  can  be  done  by 
replacing  an  XOR  by  an  XNOR  (not-exclusive-or,  which  really  should  be  called  NXOR)  in 
the  basis  change,  which  is  “free”  since  both  XOR  and  XNOR  are  the  same  size  in  the  CMOS 
library  we  consider.  But  in  some  cases,  such  as  when  an  output  bit  is  given  by  a  single  input 
bit,  the  negation  must  be  done  explicitly  with  a  NOT  gate. 

At  this  time,  not  all  of  the  matrices  for  all  of  the  cases  considered  below  have  been  fully 
optimized,  but  the  data  so  far  indicate  how  full  optimization  can  improve  on  the  greedy 
algorithm.  For  the  architecture  with  separate  encryptor  and  decryptor,  the  top  25%  of  cases 
(based  on  greedy  algorithm  estimates)  have  been  fully  optimized:  of  952  matrices  (8  x  8) 
optimized,  346  (36%)  were  improved  by  at  least  one  XOR,  and  of  those,  45  (13%  of  improved 
ones)  were  improved  by  two  XOR’s,  and  2  (0.6%  of  improved  ones)  were  improved  by  three 
XOR’s.  For  the  merged  architecture,  the  top  14  cases  have  been  optimized:  of  36  matrices 
(16  x  8)  optimized,  17  (47%)  were  improved  by  one  XOR,  6  (17%)  were  improved  by  two 
XOR’s,  and  5  (14%)  were  improved  by  three  XOR’s,  so  altogether  78%  were  improved. 

We  considered  all  of  the  subfield  polynomial  and  normal  bases  that  had  a  trace  of  unity. 
Over  GF( 24),  there  are  eight  choices  for  v  that  make  r(y)  =  y2  +  y  +  u  irreducible,  namely 
the  four  elements  with  the  minimal  polynomial  (over  GF( 2))  x4  +  x3  +  1,  and  the  four 
elements  with  the  minimal  polynomial  x4  +  x3  +  x2  +  x  +  1.  There  are  only  two  choices 
for  N  that  make  the  polynomial  s(z)  =  z2  +  z  +  N  irreducible  over  GF( 22),  namely  the 
two  roots  of  t(w)  =  w2  +  w  +  1.  Each  of  these  polynomials  r(y),  s(z),  and  t(w)  has  two 
distinct  roots,  and  for  a  polynomial  basis  we  may  choose  either,  or  for  a  normal  basis  we 
use  both.  So  including  the  choices  for  v  and  N  and  the  type  of  basis  at  each  level,  there  are 
(8  x  3)  x  (2  x  3)  x  (1  x  3)  =  432  possible  cases.  (Note:  the  basis  used  in  [12]  corresponds  to 
case  number  252  in  Appendix  E.) 

The  most  compact  case  was  judged  to  be  the  one  giving  the  least  number  of  gates  for  the 
merged  S-box  architecture  of  [12],  where  a  single  inverter  is  shared  for  both  encryption  and 
decryption,  using  merged  bit  matrices  X-1  and  (MX)-1  before  the  inverter,  and  (MX)  and 
X  after.  The  total  gates  include  the  two  optimized  16  x  8  matrices,  the  two  additions  of  the 
constant  b,  one  inverter,  and  also  the  multiplexors.  As  it  happens,  the  case  giving  the  most 
compact  circuit  for  this  architecture  also  gives  the  most  compact  separate  encryptor  (with 
just  X-1,  inverter,  (MX),  and  b),  and  gives  a  separate  decryptor  that  is  one  XOR  bigger 
than  the  smallest. 

(The  envelope,  please...) 

The  winner  is  case  number  4  in  the  Appendix  E  table  of  all  the  cases.  Here  we  will 
specify  the  relevant  Galois  elements  in  three  forms:  by  our  naming  convention  summarized 
in  table  D.3,  by  decimal  and  by  hexadecimal  numbers  (in  C  notation),  which  refer  to  the 
representation  in  the  standard  basis  (in  powers  of  A).  This  case  uses  normal  bases  for  all 
subfields.  For  GF{28)/ GF(24),  the  norm  v  =  /38  =  236  =  OxEC,  and  y  =  d  =  255  =  OxFF, 
so  the  basis  is  [d16,  d]  =  [0xFE,0xFF]  (recall  that  for  each  of  the  normal  bases,  the  sum  of 
the  two  elements  is  the  trace,  which  is  unity).  For  GF(24)/ GF(22),  N  =  O2  =  188  =  OxBC 
and  z  =  a2  =  92  =  0x5C,  so  the  basis  is  [a8,  a2]  =  [0x5D,0x5C].  And  for  GF( 22),  w  =  = 
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189  =  OxBD,  so  the  basis  is  [O2,  Q]  =  [0xBC,0xBD].  For  this  case,  v  =  N2z,  i.e.,  C  =  0  and 
D  =  N2  in  the  table  above,  so  this  inverter  is  the  smallest,  consisting  of  66  XOR’s  and  36 
NAND’s.  (Note:  because  each  AND  output  bit  is  combined  with  another  AND  output  in  a 
following  XOR,  then  the  AND  gates  can  be  replaced  by  NAND  gates,  which  are  smaller  in 
the  library  considered.)  The  optimized  versions  of  the  merged  basis  change  matrices  have 
the  following  numbers  of  XOR’s/XNOR’s:  [X-1&(MX)-1]  =  20,  [(MX)&X]  =  18.  Also, 
the  additive  constants  of  the  affine  transformation  require  2  NOT’s.  For  separate  encryptor 
and  decryptor,  the  optimized  matrices  have  these  sizes:  X"1  =  13,  MX  =  11,  X  =  13, 
(MX)-1  =  12  (no  NOT’s  required). 

So  the  complete  merged  S-box  and  inverse,  including  inverter,  transformation  matrices, 
additive  constant  b,  and  multiplexors,  totals  104  XOR/XNOR’s  +  36  NAND’s  +  2  NOT’s  +  16 
MUX21I’s  (where  MUX21I  is  a  2:1  selector  and  inverter  [13]).  Using  the  equivalencies  1 
XOR/XNOR=  \  NAND  gates,  1  NOT=  §  NAND  gates,  and  1  MUX21I=  \  NAND  gates 
[13],  this  S-box  is  equivalent  in  size  to  247|  NAND’s,  an  improvement  of  16%  over  the  merged 
S-Box  of  [12]  at  294  NAND’s. 

If  separate  encryptors  and  decryptors  are  preferable,  then  the  S-box  includes  the  bit 
matrices  X-1  and  MX  and  inverter,  totaling  90  XOR’s  +  36  NAND’s,  with  equivalent  size 
193|  NAND’s;  the  inverse  S-box  uses  (MX)-1  and  X  and  inverter,  giving  91  XOR’s  +  36 
NAND’s,  of  size  195|  NAND’s.  (If  only  a  decryptor  is  needed,  then  one  could  use  one  of  the 
bases  43,  113,  or  125,  to  get  an  inverse  S-box  of  90  XOR’s  +  36  NAND’s.) 

Since  we  have  not  yet  fully  optimized  the  matrices  for  all  of  the  432  possible  cases,  it  is 
conceivable  that  one  of  the  other  cases  could  turn  out  to  be  better  than  case  4.  We  have 
optimized  all  cases  whose  estimated  size,  based  on  the  greedy  algorithm,  was  within  8  XOR’s 
of  the  actual  size  of  case  4  (104  XOR’s).  So  far,  the  best  improvement  in  a  single  16  x  8 
matrix  is  3  XOR’s,  and  the  best  improvement  in  the  pair  of  matrices  for  a  single  case  is  4 
XOR’s.  For  some  other  case  to  be  best,  full  optimization  must  improve  a  matrix  pair,  beyond 
what  the  greedy  algorithm  found,  by  at  least  9  XOR’s.  We  consider  this  highly  unlikely,  and 
so  are  confident  that  case  4  is  indeed  the  best  of  all  432  cases. 


6  Implementation  Details 

For  the  change  of  basis  matrix,  we  want  to  change  an  element  g  of  GF( 28),  the  standard 
AES  representation  as  a  byte  of  8  bits  gt  G  GF( 2),  namely  5,75,65,5fi,4fi,3fi,2fi,ifi,o,  meaning  g7A7  + 
g6A 6  +  g5A5  +  g4A4  +  g3A3  +  g2A2  +  g3A  +  g0 ,  into  the  new  basis.  Then  in  GF(28) /  GF{24) , 
g  =  7i2/16  +  7o U,  where  for  each  element  7  G  GF( 24)/ GF( 22),  we  have  7  =  T3z4  +  r02:,  and 
each  element  T  G  GF( 22)  is  considered  a  pair  of  bits  bib0,  meaning  biw2  +  b0w.  So  the  new 
byte  representation  b7beb5b4b3b2bib0  is  related  to  the  old  by 

97  A7  +  g§A&  +  g5A5  +  g4A4  +  g3A3  +  g2A2  +  g±A  +  go 
=  [( b7w 2  +  b6w)z4  +  ( b5w 2  +  b4w)z]y 16  +  [( b3w 2  +  b2w)z4  +  (&1W2  +  b0w)z\y 
=  b7w2z4yw  +  b6wz4yw  +  b5w2zy 16  +  b4wzy 16  +  b3w2z4y  +  b2wz4y  +  b3w2zy  +  b0wzy 

The  relevant  arithmetic  in  GF( 28)  (see  Appendix  D),  using  the  standard  A  polynomial 
basis  and  logarithms  base  B,  is:  y  =  OxFF  =  B7,  z  =  0x5C  =  £>34,  w  =  OxBD  =  Bs 5, 
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y 16  =  B 112  =  OxFE,  z4  =  B 136  =  0x5D,  w 2  =  B170  =  OxBC,  w2z4y 16  =  B418  =  BW3  =  0x64, 
wz4y 16  =  B 333  =  B78  =  0x78,  w2zyw  =  £>316  =  Bei  =  0x6E,  wzy 16  =  B231  =  0x8C,  w2z4y  = 
B313  =  B58  =  0x68,  wz4y  =  B228  =  0x29,  w2zy  =  5211  =  OxDE,  wzy  =  5126  =  0x60,  so 
these  become  the  columns  of  the  basis  change  matrix  X: 

f  97  \  /00010010\/67\ 

g6  1110  10  11  b6 

g5  1110  110  1  b5 

g4  _  01000010  b4 

g3  ~  0  1111110  b3 

g2  10  110  0  10  b2 

g4  0  0  1  0  0  0  1  0  lh 

\  9o  J  \00000100  J  \b0  J 

Then  the  reverse  change  of  basis  is  given  by  X~4  (modulo  2): 

(  b7\  (  1  1  1  0  0  1  1  1  \  /  g7  \ 

b6  0  1  1  1  0  0  0  1  g6 

b5  0  1  1  0  0  0  1  1  .gs 

b4  _  1  1  1  0  0  0  0  1  .94 

b3  ~  10  0  110  11  .93 

b2  00000001  .92 

h  0  1  1  0  0  0  0  1  ,9i 

V  b0  /  \  0  1  0  0  1  1  1  1  /  \  g0  / 

So  to  compute  the  S-box  function  of  a  given  byte,  first  we  do  a  bit-matrix  multiply  (by 
X-1)  to  change  into  the  basis  for  GF{28) / GF{24) / GF{22),  then  calculate  the  inverse.  Then 
change  basis  back  again  and  perform  the  affine  transformation,  through  another  bit-matrix 
multiply  by  MX: 

(  0  0  1  0  1  0  0  0  \ 

1  0  0  0  1  0  0  0 

0  1  0  0  0  0  0  1 

10101000 
MX ~  11111000 
01101101 
0  0  1  1  0  0  1  0 

\  0  1  0  1  0  0  1  0  / 

and  addition  of  the  constant  b. 

The  inverse  S-box  function  is  similar,  except  the  XOR  with  constant  b  comes  first.  Then 
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comes  multiplication  by  the  bit  matrix 


(MX)'1  = 


/  1  0  0  1 
0  10  1 
0  10  1 
0  10  0 
110  1 
10  10 
0  0  0  1 
\  0  1  1  1 


0  0  0  0  \ 
0  0  11 
0  0  0  0 
10  11 
0  0  0  0 
0  10  0 
10  0  1 
0  0  11/ 


And  after  finding  the  inverse,  we  convert  back  to  the  polynomial  basis  through  multiplication 
by  the  matrix  X. 

The  optimized  versions  of  these  matrices  can  be  shown  in  product  form  to  indicate  the 
factoring  out  of  common  bit  combinations,  as  follows: 


(MX) 

X 


/0  000000000000011  0\ 
00000000000010000 
00000010000100000 
00000000101000000 
00000010010001000 
00000001000000000 
00000000000100000 
00000100000000001 


00000000010000000 

00010000000000010 

01010000000000000 

00000000000000001 

01000000010000000 

00000000000000100 

00010000000001000 

yooooooioooooioooo/ 


0000100000000001  / 


/ _ L _ \ 

000100000001 
000010010000 
000001001000 
Vooooooioooio/ 

/0  0000000000100000  0\ 
000000001000000000 
000000000010000000 
000000000000100000 
000000000100100000 
000000000010000100 
000000000000001000 
000000000000000010 
000100100000000000 
000000100000000001 
000001000000000001 
010000100000000000 
000000000000000110 
100000000000001000 
000000000000010000 
yoooooioooooooooooo/ 


L _ \ 

10100000 
10010000 
\  0  1  0  0  0  0  0  1 


f _ L _ \ 

00010000000001 

00000100000100 

00000010010000 

Vooooooooooioio/ 


00100000001 
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( _ L _ 

001000001000 

V001000100000 


/ _ L _ \ 

10001000 

01010000 

01000001 

Vooioiooo/ 


where  a  horizontal  line  divides  each  matrix  into  two  blocks,  and  /  means  an  identity  matrix 
of  appropriate  size.  For  each  matrix  row,  the  number  of  l’s,  less  one,  is  the  number  of 
two-input  XOR  gates  needed  for  that  row. 

The  implementation  of  the  Galois  inverter  has  mostly  been  given  in  Section  4.2  above, 
since  normal  bases  are  used  at  each  level.  There  can  be  found  the  top-level  inverter,  the 
GF( 24)  inverter  and  multiplier,  the  GF( 22)  inverter  (square,  i.e.,  bit  swap),  multiplier,  and 
scalers  for  both  N  =  w2  and  TV 2  =  w.  The  combination  of  multiplication  with  scaling  by 
N  =  w2  in  GF( 22)  is  given  by 


/  =  g0®  d0 

NT  A  =  [f  ®  ((#i  ©  g0)  ®  (di  ©  d0))]w2  +  [/  ©  (gx  ®  di)]w 

The  only  other  operation  required  is  the  square-scale  operator  in  the  normal  basis  GF( 24), 
as  shown  on  page  15  for  C  =  0  and  D  =  TV2,  which  is 

u(Az4  +  Bzf  =  [(A  ®  B)2]z 4  +  [TV2  ®  B2}z 
where  the  squaring  is  free. 

Appendix  A  gives  a  C  program  that  implements  the  S-box  function  (and  its  inverse)  to 
illustrate  the  algorithm.  This  shows  the  hierarchical  structure  of  the  subheld  approach,  but 
does  not  include  the  low-level  optimizations  of  Section  4.4.  The  output  is  a  table  that  can  be 
compared  with  the  reference  version  in  the  hie  boxes-ref.dat,  included  in  the  “Reference 
code  in  ANSI  C  v2.2.”  link  from  The  Rijndael  Page: 
http : //www . esat . kuleuven . ac . be/~ri jmen/ rijndael/ 

Appendix  B  gives  our  compact  implementation  of  the  merged  S-box  and  inverse  as  a 
Verilog  module.  All  the  low-level  optimizations  of  Section  4.4  are  shown.  These  include: 
pre-computing  sums  of  high  and  low  parts  of  common  factors  for  multipliers;  in  the  GF( 28) 
inverter,  using  the  bit  sums  of  common  factors  to  replace  some  terms  in  the  scaled  square  of 
the  sum  of  high  and  low  inputs;  similarly  in  the  GF( 24)  inverter;  and  using  NAND’s  instead 
of  AND’s. 

We  sucessfully  tested  this  implementation  using  an  FPGA  (though  our  approach  is  really 
more  appropriate  for  ASIC’s).  Specifically,  we  used  an  SRC-6E  Reconhgurable  Computer, 
which  includes  two  Intel  processors  and  two  Virtex  II  FPGA’s.  As  implemented  on  one 
FPGA,  the  function  evaluation  takes  just  one  tick  of  the  100  MHz  clock,  the  same  amount 
of  time  needed  for  the  table  look-up  approach. 

We  also  implemented  a  complete  AES  encryptor/decryptor  on  this  same  system,  using 
our  S-box.  Certain  constraints  (block  RAM  access)  of  this  particular  system  prevent  using 
table  lookup  for  a  fully  unrolled  pipelined  version;  160  copies  of  the  table  (16  bytes/roundx  10 
rounds)  would  not  fit.  So  for  this  system,  our  compact  S-box  allowed  us  to  implement  a 
fully  pipelined  encryptor/decryptor,  where  in  the  FPGA,  effectively  one  block  is  processed 
for  each  clock  tick. 
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7  Conclusion 


The  goal  of  this  work  is  an  algorithm  to  compute  the  S-box  function  of  AES,  that  can  be 
implemented  in  hardware  with  a  minimal  amount  of  circuitry.  This  should  save  a  significant 
amount  of  chip  area  in  ASIC  hardware  versions  of  AES.  Moreover,  this  area  savings  could 
allow  many  copies  of  the  S-box  circuit  to  fit  on  a  chip,  enough  to  “unroll”  the  loop  of  10 
rounds.  This  in  turn  would  allow  the  AES  process  to  be  fully  pipelined,  increasing  the  rate 
of  throughput  significantly  (for  non-feedback  modes  of  encryption),  on  smaller  chips. 

This  algorithm  employs  the  multi-level  representation  of  arithmetic  in  GF( 28),  similar  to 
the  previous  compact  implementation  of  Satoh  et  al[12].  Our  work  shows  how  this  approach 
leads  to  a  whole  family  of  432  implementations,  depending  on  the  particular  isomorphism 
(basis)  chosen,  from  which  we  found  the  best  one.  And  in  factoring  the  transformation  (basis 
change)  matrices  for  compactness,  rather  than  rely  on  the  greedy  algorithm  as  in  prior  work, 
we  fully  optimized  the  matrices,  using  our  tree  search  algorithm  with  pruning  of  redundant 
cases.  This  gave  an  improvement  over  the  greedy  algorithm  in  78%  of  the  (16  x  8)  matrices 
that  we  optimized.  Also  new  is  the  detailed  description  of  this  nested-subfield  algorithm, 
including  specification  of  all  constants  for  each  choice  of  representation. 

Our  best  compact  implementation  gives  an  S-box  that  is  16%  smaller  than  the  previously 
most  compact  version  of  [12].  We  have  shown  that  none  of  the  other  431  versions  possible 
with  this  subheld  approach  is  as  small.  This  compact  S-box  could  be  useful  for  many  future 
hardware  implementations  of  AES,  for  a  variety  of  security  applications. 
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A  S-box  Algorithm  in  C 

/*  sbox.c 
* 

*  by:  David  Canright 

* 

*  illustrates  compact  implementation  of  AES  S-box  via  subfield  operations 

*  case  #  4  :  [d~16,  d] ,  [alpha~8,  alpha~2] ,  [0mega~2,  Omega] 

*  nu  =  beta~8  =  N~2*alpha~2 ,  N  =  w~2 
*/ 

#include  <stdio.h> 

#include  <sys/types .h> 

/*  to  convert  between  polynomial  (A~7...1)  basis  A  k  normal  basis  X  */ 

/*  or  to  basis  S  which  incorporates  bit  matrix  of  Sbox  */ 
static  int 

A2X  [8]  =  {0x98,  0xF3,  0xF2,  0x48,  0x09,  0x81,  0xA9,  OxFF}, 

X2A [8]  =  {0x64,  0x78,  0x6E,  0x8C,  0x68,  0x29,  OxDE,  0x60}, 

X2S  [8]  =  {0x58,  0x2D ,  0x9E,  OxOB,  OxDC,  0x04,  0x03,  0x24}, 

S2X [8]  =  {0x8C,  0x79,  0x05,  OxEB,  0x12,  0x04,  0x51,  0x53}; 

/*  multiply  in  GF(2~2),  using  normal  basis  (0mega~2, Omega)  */ 
int  G4_mul(  int  x,  int  y  )  { 
int  a,  b,  c,  d,  e,  p,  q; 

a  =  (x  k  0x2)  >>  1;  b  =  (x  k  0x1); 

c  =  (y  k  0x2)  >>  1;  d  =  (y  k  0x1); 

e  =  (a  ~  b)  k  (c  ~  d)  ; 

p  =  (a  k  c)  e; 
q  =  (b  k  d)  ~  e; 
return  (  (p<< 1 )  |  q  )  ; 

} 

/*  scale  by  N  =  0mega~2  in  GF(2~2),  using  normal  basis  ( Omega" 2 , Omega)  */ 
int  G4_scl_N(  int  x  )  { 
int  a,  b,  p,  q; 

a  =  (x  k  0x2)  >>  1;  b  =  (x  k  0x1); 
p  =  b; 

q  =  a  ~  b; 

return  (  (p<< 1 )  |  q  ) ; 

} 

/*  scale  by  N~2  =  Omega  in  GF(2~2),  using  normal  basis  ( Omega" 2 , Omega)  */ 
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int  G4_scl_N2(  int  x  )  { 
int  a,  b,  p,  q; 

a  =  (x  k  0x2)  >>  1;  b  =  (x  &  0x1); 
p  =  a  "  b; 
q  =  a; 

return  (  (p<< 1 )  |  q  )  ; 

> 

/*  square  in  GF(2~2),  using  normal  basis  (0mega~2 , Omega)  */ 

/*  NOTE:  inverse  is  identical  */ 
int  G4_sq(  int  x  )  { 
int  a,  b; 

a  =  (x  k  0x2)  >>  1;  b  =  (x  k  Oxl); 
return  (  (b«l)  |  a  )  ; 

> 

/*  multiply  in  GF(2~4),  using  normal  basis  (alpha~8,alpha~2)  */ 
int  G16_mul(  int  x,  int  y  )  { 
int  a,  b,  c,  d,  e,  p,  q; 

a  =  (x  k  OxC)  >>  2;  b  =  (x  k  0x3); 

c  =  (y  k  OxC)  >>  2;  d  =  (y  k  0x3); 

e  =  G4_mul (  a  “  b ,  c~d); 
e  =  G4_scl_N(e) ; 
p  =  G4_mul(  a,  c  )  “  e; 

q  =  G4_mul(  b,  d  )  e; 

return  (  (p<<2)  |  q  )  ; 

> 

/*  square  k  scale  by  nu  in  GF(2~4)/GF(2~2) ,  normal  basis  (alpha~8,alpha~2)  */ 
/*  nu  =  beta~8  =  N~2*alpha~2,  N  =  w~2  */ 
int  G16_sq_scl(  int  x  )  { 
int  a,  b,  p,  q; 

a  =  (x  k  OxC)  >>  2;  b  =  (x  k  0x3); 
p  =  G4_sq(a  ~  b) ; 
q  =  G4_scl_N2 (G4_sq(b) ) ; 
return  (  (p<<2)  |  q  ) ; 

> 

/*  inverse  in  GF(2~4),  using  normal  basis  (alpha~8,alpha~2)  */ 
int  G16_inv(  int  x  )  { 

int  a,  b,  c,  d,  e,  p,  q; 
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a  =  (x  k  OxC)  >>  2;  b  =  (x  k  0x3); 
c  =  G4_scl_N(  G4_sq(  a  ~  b  )  ); 
d  =  G4_mul (  a ,  b  ) ; 

e  =  G4_sq(  c  ~  d  );  //  really  inverse,  but  same  as  square 

p  =  G4_mul (  e ,  b  ) ; 
q  =  G4_mul (  e ,  a  ) ; 
return  (  (p<<2)  |  q  ) ; 

> 

/*  inverse  in  GF(2~8),  using  normal  basis  (d~16,d)  */ 
int  G256_inv(  int  x  )  { 

int  a,  b,  c,  d,  e,  p,  q; 

a  =  (x  k  OxFO)  »  4;  b  =  (x  k  OxOF) ; 
c  =  G16_sq_scl(  a  ~  b  ); 
d  =  G16_mul (  a,  b  ); 
e  =  G16_inv(  c  ~  d  ) ; 
p  =  G16_mul (  e ,  b  ) ; 
q  =  G16_mul (  e ,  a  ) ; 
return  (  (p<<4)  |  q  ) ; 

> 

/*  convert  to  new  basis  in  GF(2~8)  */ 

/*  i.e.,  bit  matrix  multiply  */ 
int  G256_newbasis (  int  x,  int  b[]  )  { 
int  i,  y  =  0; 

for  (  i=7 ;  i  >=  0;  i —  )  { 
if  (  x  &  1  )  y  ~=  b[i]  ; 
x  »=  1; 

> 

return  (  y  ) ; 

> 

/*  find  Sbox  of  n  in  GF(2~8)  mod  POLY  */ 
int  Sbox(  int  n  )  { 
int  t ; 

t  =  G256_newbasis (  n,  A2X  ); 
t  =  G256_inv(  t  ) ; 
t  =  G256_newbasis (  t,  X2S  ); 
return  (  t  0x63  ) ; 

> 
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/*  find  inverse  Sbox  of  n  in  GF(2~8)  mod  POLY  */ 
int  iSbox(  int  n  )  { 
int  t ; 


t  =  G256_newbasis (  n  ~  0x63,  S2X  ); 
t  =  G256_inv(  t  ) ; 
t  =  G256_newbasis (  t,  X2A  ); 
return  (  t  )  ; 

> 


/*  compute  tables  of  Sbox  k  its  inverse;  print  ’em  out  */ 
int  main  ()  { 

int  Sbox_tbl  [256] ,  iSbox_tbl [256] ,  i,  j; 

for  (i  =  0;  i  <  256;  i++)  { 

Sbox_tbl[i]  =  Sbox(i); 
iSbox_tbl [i]  =  iSbox(i); 

> 

printf  ("char  S [256]  =  {\n"); 
for  (i  =  0;  i  <  16;  i++)  { 

for  (j  =  0;  j  <  16;  j++)  { 

printf  (  "°/03d,  ",  Sbox_tbl  [i*16+j] ) ; 

> 

printf  (  "\n"  ); 

> 

printf  (  ; \n\n"  ); 

printf  ("char  Si [256]  =  {\n"); 
for  (i  =  0;  i  <  16;  i++)  { 

for  (j  =  0;  j  <  16;  j++)  { 

printf  (  "°/03d,  ",  iSbox_tbl  [i*16+j] )  ; 

> 

printf  (  "\n"  ); 

> 

printf  (  ; \n\n"  ); 

return (0) ; 

> 
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B  S-box  Algorithm  in  Verilog 

/*  S-box  using  all  normal  bases  */ 

/*  case  #  4  :  [d~16,  d] ,  [alpha~8,  alpha~2] ,  [0mega~2,  Omega]  */ 

/*  beta~8  =  N~2*alpha~2,  N  =  w~2  */ 

/*  square  in  GF(2~2),  using  normal  basis  [Omega" 2 , Omega]  */ 

/*  inverse  is  the  same  as  square  in  GF(2"2),  using  any  normal  basis  */ 
module  GF_SQ_2  (A,  Q  ) ; 
input  [1:0]  A; 
output  [1:0]  Q; 

assign  Q  =  {  A[0]  ,  A  [1]  >; 
endmodule 

/*  scale  by  w  =  Omega  in  GF(2"2),  using  normal  basis  [0mega~2, Omega]  */ 
module  GF_SCLW_2  (A,  Q  ) ; 
input  [1:0]  A; 
output  [1:0]  Q; 

assign  Q  =  {  (A  [1]  A[0]),  A  [1]  >; 

endmodule 

/*  scale  by  w"2  =  0mega~2  in  GF(2~2),  using  normal  basis  [0mega~2,0mega]  */ 
module  GF_SCLW2_2  (A,  Q  ) ; 
input  [1:0]  A; 
output  [1:0]  Q; 

assign  Q  =  {  A[0]  ,  (A [1]  A[0])  >; 

endmodule 

/*  multiply  in  GF(2~2),  shared  factors,  using  normal  basis  [0mega~2 , Omega]  */ 
module  GF_MULS_2  (  A,  ab,  B,  cd,  Q  ); 
input  [1:0]  A; 
input  ab ; 
input  [1:0]  B; 
input  cd ; 
output  [1:0]  Q; 
wire  mO,  ml,  ms; 

nand  n0(m0,  A[0],  B[0]); 
nand  nl(ml,  A[l],  B  [1] )  ; 
nand  ns (ms,  ab,  cd) ; 
assign  Q  =  {  ml  "ms,  mO  ms  }; 
endmodule 
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/*  multiply  k  scale  by  N  in  GF(2~2),  shared  factors,  basis  [0mega~2 , Omega]  */ 
module  GF_MULS_SCL_2  (  A,  ab,  B,  cd,  Q  ); 
input  [1:0]  A; 
input  ab ; 
input  [1:0]  B; 
input  cd ; 
output  [1:0]  Q; 
wire  mO,  ml,  ms; 

nand  nO(mO,  A[0],  B  [0] )  ; 
nand  nl(ml,  A[l],  B  [1] )  ; 
nand  ns (ms,  ab,  cd) ; 
assign  Q  =  {  ms  mO,  ml  mO  }; 
endmodule 


/*  inverse  in  GF(2~4)/GF(2~2) ,  using  normal  basis  [alpha~8,  alpha~2]  */ 
module  GF_INV_4  (A,  Q  ) ; 
input  [3:0]  A ; 
output  [3:0]  Q ; 

wire  [1:0]  a,  b,  ab,  ab2N,  d,  p,  q; 

wire  sa,  sb,  sd;  /*  for  shared  factors  in  multipliers  */ 


assign  a  =  A [3 : 2] ; 
assign  b  =  A [1 : 0]  ; 
assign  sa  =  a[l]  ~  a[0]  ; 
assign  sb  =  b[l]  ~  b  [0]  ; 

GF_MULS_2  abmul(a,  sa,  b,  sb,  ab) ; 

/*  optimize  this  section  as  shown  below 
GF_SQ_2  absq(  (a  ~  b) ,  ab2) ; 

GF_SCLW2_2  absclN (  ab2,  ab2N) ; 

*/ 

assign  ab2N  =  {  a[l]  ~  b[l],  sa  ~  sb  }; 
/*  end  of  optimization  */ 

GF_SQ_2  dinv(  (ab  ~  ab2N) ,  d) ; 
assign  sd  =  d[l]  “  d[0]  ; 

GF_MULS_2  pmul(d,  sd,  b,  sb,  p) ; 
GF_MULS_2  qmul(d,  sd,  a,  sa,  q)  ; 
assign  Q  =  {  p,  q  }; 
endmodule 


/*  square  k  scale  by  nu  in  GF(2~4)/GF(2~2) ,  normal  basis  [alpha~8,  alpha~2]  */ 
/*  nu  =  beta~8  =  N~2*alpha~2,  N  =  w~2  */ 
module  GF_SQ_SCL_4  (  A,  Q  ); 
input  [3:0]  A ; 
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output  [3:0]  Q ; 

wire  [1:0]  a,  b,  ab2,  b2,  b2N2; 

assign  a  =  A  [3 : 2] ; 
assign  b  =  A [1 : 0] ; 

GF_SQ_2  absq(a  ~  b,ab2); 

GF_SQ_2  bsq(b,b2) ; 

GF_SCLW_2  bmulN2(b2,b2N2) ; 
assign  Q  =  {  ab2,  b2N2  }; 
endmodule 

/*  multiply  in  GF(2~4) /GF(2~2) ,  shared  factors,  basis  [alpha~8,  alpha~2]  */ 
module  GF_MULS_4  (  A,  a,  Al,  Ah,  aa,  B,  b,  Bl,  Bh,  bb,  Q  ) ; 

input  [3:0]  A ; 

input  [1:0]  a; 

input  Al ; 

input  Ah ; 

input  aa; 

input  [3:0]  B ; 

input  [1:0]  b; 

input  Bl ; 

input  Bh ; 

input  bb ; 

output  [3:0]  Q ; 

wire  [1:0]  ph,  pi,  ps,  p; 

wire  t; 

GF_MULS_2  himul(A[3:2] ,  Ah,  B[3:2],  Bh,  ph) ; 

GF_MULS_2  lomul (A [1:0] ,  Al,  B[1:0],  Bl,  pi); 

GF_MULS_SCL_2  summuK  a,  aa,  b,  bb,  p) ; 
assign  Q  =  {  (ph  ~  p) ,  (pi  p)  >; 
endmodule 

/*  inverse  in  GF(2~8)/GF(2~4) ,  using  normal  basis  [d~16,  d]  */ 
module  GF_INV_8  (A,  Q  ) ; 
input  [7:0]  A ; 

output  [7:0]  Q ; 

wire  [3:0]  a,  b,  ab,  ab2,  d,  p,  q; 

wire  [1:0]  sa,  sb,  sd,  t;  /*  for  shared  factors  in  multipliers  */ 
wire  al,  ah,  aa,  bl,  bh,  bb,  dl,  dh,  dd;  /*  for  shared  factors  */ 

assign  a  =  A  [7:4] ; 
assign  b  =  A [3 : 0]  ; 
assign  sa  =  a [3: 2]  a [1:0]; 
assign  sb  =  b[3:2]  b  [1 : 0]  ; 
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assign  al  =  a[l]  ~  a[0]  ; 
assign  ah  =  a [3]  “  a  [2] ; 
assign  aa  =  sa[l]  ~  sa[0]  ; 
assign  bl  =  b[l]  ~  b  [0]  ; 
assign  bh  =  b[3]  ~  b  [2]  ; 
assign  bb  =  sb[l]  ~  sb[0]  ; 

GF_MULS_4  abmul(a,  sa,  al,  ah,  aa,  b,  sb,  bl,  bh,  bb,  ab) ; 
/*  optimize  this  section  as  shown  below 
GF_SQ_SCL_4  absq(  (a  ~  b) ,  ab2) ; 

*/ 

assign  t  =  sa  sb; 

assign  ab2  =  {  t  [0]  ,  t[l],  al  ~  bl,  a[0]  ~  b[0] 

/*  end  of  optimization  */ 

GF_INV_4  dinv(  (ab  “  ab2) ,  d) ; 
assign  sd  =  d[3:2]  d [1 : 0] ; 
assign  dl  =  d [1]  “  d [0] ; 
assign  dh  =  d[3]  ~  d[2]  ; 
assign  dd  =  sd[l]  ~  sd[0]  ; 

GF_MULS_4  pmul(d,  sd,  dl,  dh,  dd,  b,  sb,  bl,  bh,  bb,  p) ; 
GF_MULS_4  qmul(d,  sd,  dl,  dh,  dd,  a,  sa,  al,  ah,  aa,  q) ; 
assign  Q  =  {  p,  q  >; 
endmodule 

/*  MUX21I  is  an  inverting  2:1  multiplexor  */ 
module  MUX21I  (  A,  B,  s,  Q  ); 


input  A ; 
input  B ; 
input  s ; 
output  Q ; 


assign  Q=~(s?A:B);  /*  mock-up  for  FPGA  implementation  */ 

endmodule 

/*  select  and  invert  (NOT)  byte,  using  MUX21I  */ 
module  SELECT_N0T_8  (  A,  B,  s,  Q  ); 
input  [7:0]  A ; 

input  [7:0]  B ; 

input  s ; 

output  [7:0]  Q ; 

MUX21I  m7(A [7] ,B [7] , s , Q  [7] ) ; 

MUX21I  m6 (A [6] , B [6] , s , Q  [6] ) ; 

MUX21I  m5 (A [5] , B [5] , s , Q  [5] ) ; 

MUX21I  m4 (A [4] , B [4] , s , Q  [4] ) ; 

MUX21I  m3 (A [3] , B [3] , s , Q  [3] ) ; 

MUX21I  m2 (A [2] , B [2] , s , Q  [2] ) ; 

MUX21I  ml (A [1] ,B [1] , s , Q  [1] ) ; 
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MUX21I  mO (A [0] , B [0] ,  s  ,  Q  [0]  )  ; 
endmodule 

/*  find  either  Sbox  or  its  inverse  in  GF(2~8),  by  Canright  Algorithm  */ 
module  bSbox  (  A,  encrypt,  Q  ); 
input  [7:0]  A ; 

input  encrypt;  /*  1  for  Sbox,  0  for  inverse  Sbox  */ 

output  [7:0]  Q ; 

wire  [7:0]  B,  C,  D,  X,  Y,  Z; 

wire  Rl,  R2,  R3,  R4,  R5,  R6,  R7,  R8,  R9; 

wire  Tl,  T2,  T3,  T4,  T5,  T6,  T7,  T8,  T9,  T10; 

/*  change  basis  from  GF(2~8)  to  GF(2~8)/GF(2~4)/GF(2~2)  */ 

/*  combine  with  bit  inverse  matrix  multiply  of  Sbox  */ 


assign 

Rl 

=  A  [7] 

> 

> 

1 - 1 

cn 

i _ i 

assign 

R2 

=  A  [7] 

i — i 

i _ i 

< 

< 

X 

assign 

R3 

=  A  [6] 

i — i 

o 

1 _ 1 

< 

< 

assign 

R4 

=  A  [5] 

~~  R3 

assign 

R5 

=  A  [4] 

~  R4 

assign 

R6 

=  A  [3] 

1 - 1 

o 

1 _ 1 

< 

< 

assign 

R7 

=  A  [2] 

~  Rl 

assign 

R8 

=  A  [1] 

~  R3 

assign 

R9 

=  A  [3] 

> 

pd 

00 

assign  B[7]  =  R7  ~~  R8  ; 
assign  B[6]  =  R5  ; 

assign  B[5]  =  A[l]  ~  R4  ; 
assign  B[4]  =  Rl  ~~  R3  ; 
assign  B[3]  =  A[l]  R2  ~  R6  ; 
assign  B[2]  =  A[0]  ; 

assign  B [1]  =  R4  ; 

assign  B[0]  =  A [2]  ~~  R9  ; 
assign  Y[7]  =  R2  ; 

assign  Y[6]  =  A  [4]  R8  ; 
assign  Y[5]  =  A  [6]  ~  A  [4]  ; 

assign  Y[4]  =  R9  ; 

assign  Y[3]  =  A  [6]  R2  ; 
assign  Y[2]  =  R7  ; 

assign  Y[l]  =  A  [4]  ~  R6  ; 
assign  Y[0]  =  A[l]  R5  ; 

SELECT_N0T_8  sel_in(  B,  Y,  encrypt,  Z  ); 

GF_INV_8  inv(  Z,  C  ); 

/*  change  basis  back  from  GF(2~8)/GF(2~4)/GF(2~2)  to  GF(2~8)  */ 


assign 

Tl 

=  C  [7] 

l - 1 

CO 

1 _ 1 

o 

< 

assign 

T2 

=  C  [6] 

1 — 1 

1 _ 1 

o 

< 

assign 

T3 

=  C  [6] 

1 — 1 
o 

1 _ 1 

o 

< 
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assign 

T4 

= 

C  [5] 

C  [3] 

assign 

T5 

= 

C  [5] 

T1 

assign 

T6 

= 

C  [5] 

~  *** 

C[l] 

assign 

T7 

= 

C  [4] 

T6 

assign 

T8 

= 

C  [2] 

T4 

assign 

T9 

= 

C[l] 

** 

T2 

assign 

T10 

= 

=  T3 

T5 

assign 

D  [7] 

= 

T4 

) 

assign 

D  [6] 

= 

T1 

) 

assign 

D  [5] 

= 

T3 

) 

assign 

D  [4] 

= 

T5 

) 

assign 

D  [3] 

= 

T2 

*** 

T5 

assign 

D  [2] 

= 

T3 

T8 

assign 

D  [1] 

= 

T7 

) 

assign 

D  [0] 

= 

T9 

) 

assign 

X  [7] 

= 

C  [4] 

C[l] 

assign 

X  [6] 

= 

C[l] 

T10 

assign 

X  [5] 

= 

C  [2] 

T10 

assign 

X  [4] 

= 

C  [6] 

C[l] 

assign 

X  [3] 

= 

T8 

T9 

assign 

X  [2] 

= 

C  [7] 

T7 

assign 

X  [1] 

= 

T6 

) 

assign 

x[0] 

= 

~  C  [2] 

SELECT_N0T_8  sel_out(  D,  X,  encrypt,  Q  ); 
endmodule 

/*  test  program:  put  Sbox  output  into  register  */ 
module  Sbox_r  (  A,  S,  Si,  CLK  ); 
input  [7:0]  A ; 
output  [7:0]  S ; 
output  [7 : 0]  Si ; 

input  CLK  /*  synthesis  syn_noclockbuf=l  */  ; 

reg  [7:0]  S; 

reg  [7:0]  Si; 

wire  [7:0]  s; 

wire  [7:0]  si; 

bSbox  sbe(A, 1 , s) ; 

bSbox  sbd(A,0,si); 

always  @  (posedge  CLK)  begin 

S  <=  s; 

Si  <=  si; 
end 

endmodule 
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C  Bit-Matrix  Optimizer  in  C 

/*  bestboth.c 
* 

*  by:  David  Canright 

* 

*  for  each  input  basis,  and  each  of  4  transformation  matrices, 

*  takes  bit  matrix  and  finds  equivalent  with  minimum  #  of  gates 

*  combining  both  input  matrices,  and  both  output  matrices 

*  NOTE:  matrix  input  order  is:  [A2X,  X2A,  X2S,  S2X] 

* 

*  input  should  have  lines  of  the  form: 
hexstring  num 

*  where  hexstring  contains  all  4  matrices,  num  is  an  ID#,  e.g.: 

98F3F2480981A9FF64786E8C6829DE60582D9E0BDC0403248C7905EB12045153  4 

*  for  which  the  output  should  be: 

basis  #  4: 

A2X :  98F3F2480981A9FF  S2X :  8C7905EB12045153 
ncols  =  8,  gates  =  42 

A2Xb :  0000000000012804100810224008808001 
S2Xb :  0028006200000100008800000102044010 

[0,2],  [0,3],  [1,7],  [2,10],  [3,11],  [4,7],  [5,8],  [6,10],  [4,15], 

ncols  =  17,  gates  =  20 

X2S :  582D9E0BDC040324  X2A :  64786E8C6829DE60 
ncols  =  8,  gates  =  38 

X2Sb :  000000000000000040082480180002040100 
X2Ab  :  04 100080002 1D00000000000000204080860 

[0,4],  [1,3],  [1,7],  [2,4],  [2,8],  [2,6],  [3,13],  [5,11],  [6,9],  [10,12], 

ncols  =  18,  gates  =  18 
***bestgates  4  =  38  =  20  +  18 

*  which,  for  each  matrix  pair,  shows  the  original  versions  (8  columns), 

*  the  optimized  versions,  and  a  list  of  index  pairs  for  precomputed  XORs, 

*  which  correspond  to  new  columns.  Also  shown:  #  X0R  gates  required. 

*  Note:  a  "quick"  test  case  is: 

F1261450CA86D330C502A8BF412B3590352582D03974323C65C4836C69953380  0 

* 

*  uses  pruning  algorithm  to  eliminate  redundant  cases;  minimal  memory  copying 
*/ 

#include  <stdio.h> 

#include  <string.h> 

#define  N  8 

/*  gatematrix  is  a  structure  with  an  array  of  16-bit  columns, 
list  of  indices  (used  in  pairs),  number  of  columns,  and  number  of  gates*/ 
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typedef  struct  gatematrix 

{  unsigned  int  mat[128];  char  ind[256] ;  int  n;  int  g;  } 
GateMat ; 

static  unsigned  int  share [65536] ; 
static  GateMat  test; 

/*  blockPrint  prints  columns  and  index  pairs  for  matrix  pair  */ 
void  blockPrint  (GateMat  *p,  const  char  *tagl,  const  char  *tag2) 

{ 

int  i ; 

printf  ("°/06s:  ",  tagl)  ; 
for  (i  =  0;  i  <  p->n;  i++) 

printf  ("°/002X",  (p->mat  [i] )  &  OXFF  ); 
if  ( (p->n)  >  N)  printf  ("\n"); 
printf  ("°/06s:  ",  tag2) ; 
for  (i  =  0;  i  <  p->n;  i++) 

printf  ( "°/002X" ,  ((p->mat[i])  &  0XFF00)  »  8  ); 
if  ( (p->n)  >  N)  printf  ("\n"); 
for  (i  =  0;  i  <  (p->n)-N;  i++) 

printf  ("  [°/0ld,  %ld]  ,  ",  p->ind[2*i]  ,  p->ind  [2*i+l] ) ; 
printf  ("\n  ncols  =  %2d,  gates  =  °/„2d\n" ,  p->n,  p->g) ; 

}  /*  end  blockPrint  */ 

/*  copyMat  copies  from  one  to  another*/ 
void  copyMat  (GateMat  *p,  GateMat  *q) 

{ 

int  i,  n; 
n  =  q->n  =  p->n; 

q->g  =  p->g; 

memcpy(  q->mat,  p->mat,  n  *  sizeof (unsigned  int)); 
memcpy(  q->ind,  p->ind,  (n  -  N)*2); 

}  /*  end  copyMat  */ 

/* 

*  bestgates  is  recursive: 

*  takes  current  matrix,  tries  all  possibilities  of  adding  a  gate 

*  returns  best  #  of  gates 

*  p  points  to  test  matrix  on  input,  and  used  to  store  output. 

*  tree  search  is  pruned  if  this  set  of  columns  previously  tried 
*/ 

void  bestgates  () 
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char  indb [256] ; 
int  gb,  nb,  ci,  c j ; 
int  i,  j,  n,  c,  g,  io,  jo; 
int  nm,  np,  n2,  n2p,  t; 

gb  =  1024;  /*  best  #  gates,  start  high  */ 

n  =  test.n;  g  =  test.g; 

nm=n-l;  np=n+l;  n2=2*(n-N);  n2p=n2+l; 

if  (n==N)  io  =  jo  =  0;  /*  if  orig  matrix,  no  "old"  index  pair  */ 

else  {  io  =  (test . ind[n2-2] ) ;  jo  =  (test . ind[n2-l] ) ;  } 

for  (i=0 ; i<nm; i++)  /*  for  each  pair  of  columns  */ 

for  ( j=i+l ; j <n; j++)  { 

c  =  (test .mat [i] )  k  (test .mat [j] ) ; 

if  (t=share  [c] )  {  /*  if  can  share  a  gate  */ 

if  (i<io  kk  j!=io  kk  j ! = j o  kk  j<nm)  /*  if  prior,  indep.  pair  */ 
continue;  /*  then  been  there,  done  that;  skip  to  next  j  */ 
test.n  =  np; 
test.g  =  g  -  t; 

ci  =  test .mat [i] ;  /*  save  current  columns  */ 

cj  =  test  .mat  [j]  ; 

test. mat [i]  ~=  c;  /*  update  to  new  columns  */ 

test. mat  [j]  ~=  c; 

test. mat [n]  =  c; 

test.ind[n2]  =  i; 

test . ind[n2p]  =  j; 

bestgatesO;  /*  recurse  with  new  matrix  */ 

test. mat [i]  =  ci;  /*  restore  current  columns  */ 
test  .mat  [j]  =  c j  ; 

if  (  test.g  <  gb  )  {  /*  if  best  yet,  save  data  */ 

memcpy(  indb,  test.ind+n2,  (test.n  -  n)*2); 
nb  =  test.n; 
gb  =  test.g; 

> 

> 

}  /*  end  columns  loop  */ 

if  (gb  <  1024)  {  /*  if  improved,  return  best  data  */ 

memcpy(  test.ind+n2,  indb,  (nb  -  n)*2); 
test.n  =  nb; 
test.g  =  gb; 

> 

/*  else  {printf  ("°/03d  [%2d]  "  ,n,g) ;  f flush (stdout) ; }  */ 

y  /*  end  bestgates  */ 

/*  bestmat  reconstructs  best  matrix  */ 
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void  bestmat  (GateMat  *p) 

{ 

int  i ,  j ,  n,  c ; 

int  nm,  np,  n2,  n2p,  t; 

GateMat  best; 

n  =  test.n; 
p->g  =  test . g; 

for  (i=0 ; i<N; i++)  test.mat[i]  =  p->mat[i]; 
for  (n=0;n<(test .n-N) ;n++)  { 
i  =  test . ind  [n*2] ; 
j  =  test . ind [n*2+l] ; 
c  =  (test .mat [i] )  k  (test .mat [j] ) ; 
test. mat [i]  ~=  c; 
test. mat [j]  ~=  c; 
test .mat [n+N]  =  c; 

> 

}  /*  end  bestmat  */ 

/*  main  */ 

int  main(  int  argc,  char  *argv[]  ){ 
char  line [256]  ; 

char  name [4] [4]  =  {"A2X",  "X2S" ,  "S2X" ,  "X2A" ,  >; 

char  bname  [4] [5]  ={"A2Xb",  "X2Sb",  "S2Xb",  "X2Ab",  >; 

long  int  i,  j,  k,  n,  nid,  gt; 

unsigned  u; 

int  InitMat  [32] ; 

GateMat  orig[2] ; 

/*  share  [i]  is  initialized  to  0  if  #  bits  <  2  */ 
share [0]  =  0; 
for  (i=l ; i<65536 ; i++)  { 
k=0 ; 

for  (j=i&0xFFFF;  j;  j  »=1)  k  +=  j&l; 
share [i]  =  k— 1 ; 

> 

while  (  fgets(  line,  256,  stdin  )  ==  line  )  { 

for  (  i=0;  i  <  32;  i++  )  {  /*  read  matrices,  ID  number  */ 

sscanf(  line+2*i,  "°/002X",  &u  ); 

InitMat [i]  =  u; 

> 

sscanf(  line+65,  "°/0d",  &nid  ); 
printf ("\nbasis  #%3d:\n",  nid); 
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/*  NOTE:  matrix  input  order  is:  [A2X,  X2A,  X2S,  S2X]  */ 

for  (i=0 ; i<8 ; i++)  {  /*  combine  input  pair;  combine  output  pair  */ 

(orig[0] ) .mat [i]  =  InitMat [8*0+i]  |  (InitMat [8*3+i]  <<8)  ; 
(orig[l] ) .mat [i]  =  InitMat [8*2+i]  |  (InitMat [8*l+i]  <<8)  ; 

> 


gt  =  0; 

for  (k=0;k<2;k++)  {  /*  for  each  matrix  pair  */ 

(orig[k]).n  =8;  /*  initialize  #  columns,  #  gates  */ 

for  (i=j=0;  i<8;  i++)  j  +=  share [  (orig [k] ) .mat [i]  ]; 
(orig [k] ) .g  =  j  -  8; 

blockPrint  (&(orig[k]),  name[k],  name [k+2] ) ; 
f f lush(stdout) ; 

copyMat (&(orig [k] ) ,  fetest) ; 
bestgatesO;  /*  optimize  */ 
bestmat (& (or ig [k] ) ) ; 

blockPrint  (&test,  bname [k] ,  bname [k+2] ) ; 
f f lush(stdout) ; 

gt  +=  test.g;  /*  total  #  gates  */ 

> 

printf  ("***bestgates  °/03d  =  %5d  =%5d  +°/05d\n" , 

nid,  gt,  (orig [0] ) . g,  (orig[l]).g  ); 
f f lush(stdout) ; 

> 

return (0) ; 

}  /*  end  main  */ 
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D  Tables  for  GF{ 2s) 

D.l  Logarithm  Table 

For  each  number  in  decimal,  hexadecimal,  and  binary,  gives  the  logarithm  base  B  in  GF( 28), 
using  the  polynomial  basis  from  the  root  A  of  q(x )  =  x8  +  x4  +  x3  +  x  +  1,  where  B  =  A  +  1. 
(See  Table  D.3  for  an  explanation  of  the  names.) 


dec 

hex 

binary 

logs 

name 

0 

00 

00000000 

—  (X) 

0 

1 

01 

00000001 

0 

1 

2 

02 

00000010 

25 

A 

3 

03 

00000011 

1 

B 

4 

04 

00000100 

50 

A'2 

5 

05 

00000101 

2 

B2 

6 

06 

00000110 

26 

C 2 

7 

07 

00000111 

198 

p&A 

8 

08 

00001000 

75 

£64 

9 

09 

00001001 

199 

D8 

10 

0A 

00001010 

27 

F 

11 

0B 

00001011 

104 

C'8 

12 

OC 

00001100 

51 

7 

13 

0D 

00001101 

238 

P 

14 

0E 

00001110 

223 

b32 

15 

OF 

00001111 

3 

K 

16 

10 

00010000 

100 

A4 

17 

11 

00010001 

4 

B4 

18 

12 

00010010 

224 

d32 

19 

13 

00010011 

14 

d2 

20 

14 

00010100 

52 

C 4 

21 

15 

00010101 

141 

FV2S 

22 

16 

00010110 

129 

R12S 

23 

17 

00010111 

239 

bUi 

24 

18 

00011000 

76 

25 

19 

00011001 

113 

Ju 

26 

1A 

00011010 

8 

B 8 

27 

IB 

00011011 

200 

A8 

28 

1C 

00011100 

248 

D 

29 

ID 

00011101 

105 

Es 

30 

IE 

00011110 

28 

d4 

31 

IF 

00011111 

193 

dM 

dec 

hex 

binary 

logs 

name 

32 

20 

00100000 

125 

Rm 

33 

21 

00100001 

194 

s«4 

34 

22 

00100010 

29 

J32 

35 

23 

00100011 

181 

h2 

36 

24 

00100100 

249 

k2 

37 

25 

00100101 

185 

a64 

38 

26 

00100110 

39 

P 

39 

27 

00100111 

106 

M 128 

40 

28 

00101000 

77 

M16 

41 

29 

00101001 

228 

/ 

42 

2A 

00101010 

166 

M8 

43 

2B 

00101011 

114 

fm 

44 

2C 

00101100 

154 

M32 

45 

2D 

00101101 

201 

P 

46 

2E 

00101110 

9 

l 

47 

2F 

00101111 

120 

48 

30 

00110000 

101 

m32 

49 

31 

00110001 

47 

c16 

50 

32 

00110010 

138 

N12S 

51 

33 

00110011 

5 

r 

52 

34 

00110100 

33 

l32 

53 

35 

00110101 

15 

T 

54 

36 

00110110 

225 

F32 

55 

37 

00110111 

36 

l 4 

56 

38 

00111000 

18 

l2 

57 

39 

00111001 

240 

58 

3A 

00111010 

130 

r128 

59 

3B 

00111011 

69 

60 

3C 

00111100 

53 

M64 

61 

3D 

00111101 

147 

P 

62 

3E 

00111110 

218 

h 

63 

3F 

00111111 

142 

jw 

41 


dec 

hex 

binary 

logs 

name 

64 

40 

01000000 

150 

E128 

65 

41 

01000001 

143 

Dw 

66 

42 

01000010 

219 

L4 

67 

43 

01000011 

189 

L64 

68 

44 

01000100 

54 

F2 

69 

45 

01000101 

208 

Cw 

70 

46 

01000110 

206 

Gw 

71 

47 

01000111 

148 

H 4 

72 

48 

01001000 

19 

9 

73 

49 

01001001 

92 

J4 

74 

4A 

01001010 

210 

E 1(5 

75 

4B 

01001011 

241 

D2 

76 

4C 

01001100 

64 

B64 

77 

4D 

01001101 

70 

A84 

78 

4E 

01001110 

131 

d128 

79 

4F 

01001111 

56 

d8 

80 

50 

01010000 

102 

72 

81 

51 

01010001 

221 

f32 

82 

52 

01010010 

253 

b2 

83 

53 

01010011 

48 

K 16 

84 

54 

01010100 

191 

b64 

85 

55 

01010101 

6 

K2 

86 

56 

01010110 

139 

J 128 

87 

57 

01010111 

98 

9S2 

88 

58 

01011000 

179 

G4 

89 

59 

01011001 

37 

H 

90 

5A 

01011010 

226 

J 82 

91 

5B 

01011011 

152 

g8 

92 

5C 

01011100 

34 

a 2 

93 

5D 

01011101 

136 

ct8 

94 

5E 

01011110 

145 

A16 

95 

5F 

01011111 

16 

B 16 

dec 

hex 

binary 

logs 

name 

96 

60 

01100000 

126 

k128 

97 

61 

01100001 

110 

a16 

98 

62 

01100010 

72 

l8 

99 

63 

01100011 

195 

2^64 

100 

64 

01100100 

163 

J4 

101 

65 

01100101 

182 

h' 64 

102 

66 

01100110 

30 

T 2 

103 

67 

01100111 

66 

l 64 

104 

68 

01101000 

58 

r 

105 

69 

01101001 

107 

hA 

106 

6A 

01101010 

40 

r8 

107 

6B 

01101011 

84 

N4 

108 

6C 

01101100 

250 

R 

109 

6D 

01101101 

133 

s128 

110 

6E 

01101110 

61 

S 64 

111 

6F 

01101111 

186 

n64 

112 

70 

01110000 

43 

m 

113 

71 

01110001 

121 

c 128 

114 

72 

01110010 

10 

r2 

115 

73 

01110011 

21 

N 

116 

74 

01110100 

155 

a4 

117 

75 

01110101 

159 

k 82 

118 

76 

01110110 

94 

ci‘l 

119 

77 

01110111 

202 

64 

m 

120 

78 

01111000 

78 

fie 

121 

79 

01111001 

212 

M 

122 

7A 

01111010 

172 

4 

m 

123 

7B 

01111011 

229 

c 2 

124 

7C 

01111100 

243 

k4 

125 

7D 

01111101 

115 

a 128 

126 

7E 

01111110 

167 

S8 

127 

7F 

01111111 

87 

n8 

42 


dec 

hex 

binary 

logs 

name 

128 

80 

10000000 

175 

Rw 

129 

81 

10000001 

88 

s8 

130 

82 

10000010 

168 

IV8 

131 

83 

10000011 

80 

rit> 

132 

84 

10000100 

244 

s 

133 

85 

10000101 

234 

n 

134 

86 

10000110 

214 

h8 

135 

87 

10000111 

116 

ji2S 

136 

88 

10001000 

79 

Sw 

137 

89 

10001001 

174 

nw 

138 

8A 

10001010 

233 

S2 

139 

8B 

10001011 

213 

n2 

140 

8C 

10001100 

231 

k8 

141 

8D 

10001101 

230 

a 

142 

8E 

10001110 

173 

hw 

143 

8F 

10001111 

232 

j 

144 

90 

10010000 

44 

sA 

145 

91 

10010001 

215 

R8 

146 

92 

10010010 

117 

n128 

147 

93 

10010011 

122 

Cjl28 

148 

94 

10010100 

235 

R 4 

149 

95 

10010101 

22 

s2 

150 

96 

10010110 

11 

s 

151 

97 

10010111 

245 

R2 

152 

98 

10011000 

89 

m8 

153 

99 

10011001 

203 

c4 

154 

9A 

10011010 

95 

R82 

155 

9B 

10011011 

176 

156 

9C 

10011100 

156 

f2 

157 

9D 

10011101 

169 

M2 

158 

9E 

10011110 

81 

Nw 

159 

9F 

10011111 

160 

r32 

dec 

hex 

binary 

logs 

name 

160 

AO 

10100000 

127 

b128 

161 

Al 

10100001 

12 

K4 

162 

A2 

10100010 

246 

L 

163 

A3 

10100011 

111 

Lw 

164 

A4 

10100100 

23 

J 

165 

A5 

10100101 

196 

166 

A6 

10100110 

73 

H 64 

167 

A7 

10100111 

236 

G 

168 

A8 

10101000 

216 

F8 

169 

A9 

10101001 

67 

C 64 

170 

AA 

10101010 

31 

D82 

171 

AB 

10101011 

45 

E 

172 

AC 

10101100 

164 

H 82 

173 

AD 

10101101 

118 

G 128 

174 

AE 

10101110 

123 

L 128 

175 

AF 

10101111 

183 

L8 

176 

BO 

10110000 

204 

74 

177 

B1 

10110001 

187 

(34 

178 

B2 

10110010 

62 

D 64 

179 

B3 

10110011 

90 

E2 

180 

B4 

10110100 

251 

b4 

181 

B5 

10110101 

96 

K82 

182 

B6 

10110110 

177 

^16 

183 

B7 

10110111 

134 

C1'18 

184 

B8 

10111000 

59 

G64 

185 

B9 

10111001 

82 

Hw 

186 

BA 

10111010 

161 

C 32 

187 

BB 

10111011 

108 

F4 

188 

BC 

10111100 

170 

n2 

189 

BD 

10111101 

85 

0 

190 

BE 

10111110 

41 

H8 

191 

BF 

10111111 

157 

G82 

43 


dec 

hex 

binary 

logs 

name 

192 

CO 

11000000 

151 

c8 

193 

Cl 

11000001 

178 

m16 

194 

C2 

11000010 

135 

p‘. 28 

195 

C3 

11000011 

144 

Z16 

196 

C4 

11000100 

97 

s 82 

197 

C5 

11000101 

190 

R84 

198 

C6 

11000110 

220 

a82 

199 

C7 

11000111 

252 

k 

200 

C8 

11001000 

188 

A4 

201 

C9 

11001001 

149 

m128 

202 

CA 

11001010 

207 

203 

CB 

11001011 

205 

a 2 

204 

CC 

11001100 

55 

a8 

205 

CD 

11001101 

63 

kM 

206 

CE 

11001110 

91 

h 32 

207 

CF 

11001111 

209 

f 

208 

DO 

11010000 

83 

M4 

209 

D1 

11010001 

57 

pi 

210 

D2 

11010010 

132 

l 128 

211 

D3 

11010011 

60 

rpA 

212 

D4 

11010100 

65 

r64 

213 

D5 

11010101 

162 

N82 

214 

D6 

11010110 

109 

215 

D7 

11010111 

71 

f 

216 

D8 

11011000 

20 

^4 

217 

D9 

11011001 

42 

N2 

218 

DA 

11011010 

158 

S 32 

219 

DB 

11011011 

93 

n32 

220 

DC 

11011100 

86 

2 

m 

221 

DD 

11011101 

242 

c 

222 

DE 

11011110 

211 

S4 

223 

DF 

11011111 

171 

n4 

dec 

hex 

binary 

logs 

name 

224 

E0 

11100000 

68 

a 4 

225 

El 

11100001 

17 

a 

226 

E2 

11100010 

146 

H128 

227 

E3 

11100011 

217 

G2 

228 

E4 

11100100 

35 

A82 

229 

E5 

11100101 

32 

B:i2 

230 

E6 

11100110 

46 

J2 

231 

E7 

11100111 

137 

9 128 

232 

E8 

11101000 

180 

E4 

233 

E9 

11101001 

124 

D128 

234 

EA 

11101010 

184 

J8 

235 

EB 

11101011 

38 

92 

236 

EC 

11101100 

119 

(38 

237 

ED 

11101101 

153 

78 

238 

EE 

11101110 

227 

D4 

239 

EF 

11101111 

165 

E82 

240 

F0 

11110000 

103 

G8 

241 

FI 

11110001 

74 

H 2 

242 

F2 

11110010 

237 

E2 

243 

F3 

11110011 

222 

L82 

244 

F4 

11110100 

197 

p4 

245 

F5 

11110101 

49 

.9 16 

246 

F6 

11110110 

254 

b 

247 

F7 

11110111 

24 

K8 

248 

F8 

11111000 

13 

C 

249 

F9 

11111001 

99 

F32 

250 

FA 

11111010 

140 

A128 

251 

FB 

11111011 

128 

B128 

252 

FC 

11111100 

192 

K 64 

253 

FD 

11111101 

247 

b8 

254 

FE 

11111110 

112 

dw 

255 

FF 

11111111 

7 

d 

44 


D.2  Antilogarithm  Table 

Same  information  as  previous  table,  but  ordered  by  logarithm  base  B. 


dec 

hex 

binary 

logs 

name 

0 

00 

00000000 

— oo 

0 

1 

01 

00000001 

0 

1 

3 

03 

00000011 

1 

B 

5 

05 

00000101 

2 

B2 

15 

OF 

00001111 

3 

K 

17 

11 

00010001 

4 

B 4 

51 

33 

00110011 

5 

r 

85 

55 

01010101 

6 

K2 

255 

FF 

11111111 

7 

d 

26 

1A 

00011010 

8 

B 8 

46 

2E 

00101110 

9 

l 

114 

72 

01110010 

10 

r2 

150 

96 

10010110 

11 

S 

161 

Al 

10100001 

12 

K4 

248 

F8 

11111000 

13 

C 

19 

13 

00010011 

14 

d'} 

53 

35 

00110101 

15 

T 

95 

5F 

01011111 

16 

BUi 

225 

El 

11100001 

17 

a 

56 

38 

00111000 

18 

l2 

72 

48 

01001000 

19 

9 

216 

D8 

11011000 

20 

^4 

115 

73 

01110011 

21 

N 

149 

95 

10010101 

22 

s2 

164 

A4 

10100100 

23 

J 

247 

F7 

11110111 

24 

Ks 

2 

02 

00000010 

25 

A 

6 

06 

00000110 

26 

C 2 

10 

0A 

00001010 

27 

F 

30 

IE 

00011110 

28 

d 4 

34 

22 

00100010 

29 

f2 

102 

66 

01100110 

30 

T2 

dec 

hex 

binary 

logs 

name 

170 

AA 

10101010 

31 

Di2 

229 

E5 

11100101 

32 

B:i  2 

52 

34 

00110100 

33 

92 

5C 

01011100 

34 

a2 

228 

E4 

11100100 

35 

Ai2 

55 

37 

00110111 

36 

l4 

89 

59 

01011001 

37 

H 

235 

EB 

11101011 

38 

92 

38 

26 

00100110 

39 

f 

106 

6A 

01101010 

40 

190 

BE 

10111110 

41 

H» 

217 

D9 

11011001 

42 

N2 

112 

70 

01110000 

43 

m 

144 

90 

10010000 

44 

s4 

171 

AB 

10101011 

45 

E 

230 

E6 

11100110 

46 

J2 

49 

31 

00110001 

47 

C16 

83 

53 

01010011 

48 

K 16 

245 

F5 

11110101 

49 

.9 16 

4 

04 

00000100 

50 

A2 

12 

OC 

00001100 

51 

7 

20 

14 

00010100 

52 

C4 

60 

3C 

00111100 

53 

M64 

68 

44 

01000100 

54 

F2 

204 

CC 

11001100 

55 

a* 

79 

4F 

01001111 

56 

d« 

209 

D1 

11010001 

57 

r 

104 

68 

01101000 

58 

r 

184 

B8 

10111000 

59 

G64 

211 

D3 

11010011 

60 

2^4 

110 

6E 

01101110 

61 

S'64 

178 

B2 

10110010 

62 

D 64 

45 


dec 

hex 

binary 

logs 

name 

205 

CD 

11001101 

63 

k 64 

76 

4C 

01001100 

64 

Bm 

212 

D4 

11010100 

65 

r64 

103 

67 

01100111 

66 

lU 

169 

A9 

10101001 

67 

CM 

224 

E0 

11100000 

68 

a4 

59 

3B 

00111011 

69 

N 64 

77 

4D 

01001101 

70 

A64 

215 

D7 

11010111 

71 

f 

98 

62 

01100010 

72 

l8 

166 

A6 

10100110 

73 

241 

FI 

11110001 

74 

H2 

8 

08 

00001000 

75 

E64 

24 

18 

00011000 

76 

9 4 

40 

28 

00101000 

77 

Mw 

120 

78 

01111000 

78 

fUj 

136 

88 

10001000 

79 

131 

83 

10000011 

80 

r16 

158 

9E 

10011110 

81 

Nw 

185 

B9 

10111001 

82 

H 16 

208 

DO 

11010000 

83 

M 4 

107 

6B 

01101011 

84 

N4 

189 

BD 

10111101 

85 

n 

220 

DC 

11011100 

86 

2 

m 

127 

7F 

01111111 

87 

n8 

129 

81 

10000001 

88 

s8 

152 

98 

10011000 

89 

m8 

179 

B3 

10110011 

90 

E2 

206 

CE 

11001110 

91 

hsi 

73 

49 

01001001 

92 

J4 

219 

DB 

11011011 

93 

n32 

118 

76 

01110110 

94 

c32 

dec 

hex 

binary 

logs 

name 

154 

9A 

10011010 

95 

R 32 

181 

B5 

10110101 

96 

Ki2 

196 

C4 

11000100 

97 

s62 

87 

57 

01010111 

98 

9 32 

249 

F9 

11111001 

99 

F32 

16 

10 

00010000 

100 

A4 

48 

30 

00110000 

101 

m32 

80 

50 

01010000 

102 

72 

240 

F0 

11110000 

103 

G8 

11 

OB 

00001011 

104 

C8 

29 

ID 

00011101 

105 

E8 

39 

27 

00100111 

106 

M 128 

105 

69 

01101001 

107 

h 4 

187 

BB 

10111011 

108 

F4 

214 

D6 

11010110 

109 

h 128 

97 

61 

01100001 

110 

a16 

163 

A3 

10100011 

111 

L16 

254 

FE 

11111110 

112 

dw 

25 

19 

00011001 

113 

Jw 

43 

2B 

00101011 

114 

fV2S 

125 

7D 

01111101 

115 

a 128 

135 

87 

10000111 

116 

jm 

146 

92 

10010010 

117 

n128 

173 

AD 

10101101 

118 

Gvl8 

236 

EC 

11101100 

119 

(38 

47 

2F 

00101111 

120 

113 

71 

01110001 

121 

c128 

147 

93 

10010011 

122 

gl28 

174 

AE 

10101110 

123 

L 128 

233 

E9 

11101001 

124 

D 128 

32 

20 

00100000 

125 

R128 

96 

60 

01100000 

126 

k128 

46 


dec 

hex 

binary 

logs 

name 

160 

AO 

10100000 

127 

b12S 

251 

FB 

11111011 

128 

Bl'M 

22 

16 

00010110 

129 

Km 

58 

3A 

00111010 

130 

rl‘2& 

78 

4E 

01001110 

131 

d128 

210 

D2 

11010010 

132 

l128 

109 

6D 

01101101 

133 

s128 

183 

B7 

10110111 

134 

C128 

194 

C2 

11000010 

135 

2^128 

93 

5D 

01011101 

136 

a8 

231 

E7 

11100111 

137 

9™ 

50 

32 

00110010 

138 

N128 

86 

56 

01010110 

139 

J128 

250 

FA 

11111010 

140 

A128 

21 

15 

00010101 

141 

F128 

63 

3F 

00111111 

142 

jW 

65 

41 

01000001 

143 

Dw 

195 

C3 

11000011 

144 

lu 

94 

5E 

01011110 

145 

Aw 

226 

E2 

11100010 

146 

H128 

61 

3D 

00111101 

147 

/4 

71 

47 

01000111 

148 

HA 

201 

C9 

11001001 

149 

m128 

64 

40 

01000000 

150 

E128 

192 

CO 

11000000 

151 

c8 

91 

5B 

01011011 

152 

9s 

237 

ED 

11101101 

153 

78 

44 

2C 

00101100 

154 

M'i2 

116 

74 

01110100 

155 

a4 

156 

9C 

10011100 

156 

f1 

191 

BF 

10111111 

157 

G32 

218 

DA 

11011010 

158 

S32 

dec 

hex 

binary 

logs 

name 

117 

75 

01110101 

159 

k32 

159 

9F 

10011111 

160 

r32 

186 

BA 

10111010 

161 

c32 

213 

D5 

11010101 

162 

N 32 

100 

64 

01100100 

163 

jA 

172 

AC 

10101100 

164 

H32 

239 

EF 

11101111 

165 

E32 

42 

2A 

00101010 

166 

M8 

126 

7E 

01111110 

167 

S8 

130 

82 

10000010 

168 

N8 

157 

9D 

10011101 

169 

M2 

188 

BC 

10111100 

170 

n2 

223 

DF 

11011111 

171 

n4 

122 

7A 

01111010 

172 

4 

m 

142 

8E 

10001110 

173 

hw 

137 

89 

10001001 

174 

n16 

128 

80 

10000000 

175 

Rw 

155 

9B 

10011011 

176 

sw 

182 

B6 

10110110 

177 

F16 

193 

Cl 

11000001 

178 

mm 

88 

58 

01011000 

179 

G4 

232 

E8 

11101000 

180 

E4 

35 

23 

00100011 

181 

h2 

101 

65 

01100101 

182 

h8A 

175 

AF 

10101111 

183 

L8 

234 

EA 

11101010 

184 

J8 

37 

25 

00100101 

185 

d 54 

111 

6F 

01101111 

186 

n64 

177 

B1 

10110001 

187 

(34 

200 

C8 

11001000 

188 

c64 

67 

43 

01000011 

189 

L84 

197 

C5 

11000101 

190 

R1 64 

47 


dec 

hex 

binary 

logs 

name 

84 

54 

01010100 

191 

b84 

252 

FC 

11111100 

192 

Km 

31 

IF 

00011111 

193 

<FA 

33 

21 

00100001 

194 

99 

63 

01100011 

195 

2^64 

165 

A5 

10100101 

196 

9 64 

244 

F4 

11110100 

197 

J64 

7 

07 

00000111 

198 

^64 

9 

09 

00001001 

199 

D8 

27 

IB 

00011011 

200 

A8 

45 

2D 

00101101 

201 

P 

119 

77 

01110111 

202 

64 

m 

153 

99 

10011001 

203 

c4 

176 

BO 

10110000 

204 

74 

203 

CB 

11001011 

205 

a 2 

70 

46 

01000110 

206 

GU} 

202 

CA 

11001010 

207 

ki(i 

69 

45 

01000101 

208 

CUi 

207 

CF 

11001111 

209 

P 

74 

4A 

01001010 

210 

Ew 

222 

DE 

11011110 

211 

S4 

121 

79 

01111001 

212 

M 

139 

8B 

10001011 

213 

n2 

134 

86 

10000110 

214 

h 8 

145 

91 

10010001 

215 

R8 

168 

A8 

10101000 

216 

F8 

227 

E3 

11100011 

217 

G2 

62 

3E 

00111110 

218 

h 

66 

42 

01000010 

219 

L4 

198 

C6 

11000110 

220 

81 

51 

01010001 

221 

P 

243 

F3 

11110011 

222 

L32 

dec 

hex 

binary 

logs 

name 

14 

0E 

00001110 

223 

b32 

18 

12 

00010010 

224 

d32 

54 

36 

00110110 

225 

j’32 

90 

5A 

01011010 

226 

J 32 

238 

EE 

11101110 

227 

D4 

41 

29 

00101001 

228 

f 

123 

7B 

01111011 

229 

c2 

141 

8D 

10001101 

230 

a 

140 

8C 

10001100 

231 

k8 

143 

8F 

10001111 

232 

j 

138 

8A 

10001010 

233 

S2 

133 

85 

10000101 

234 

n 

148 

94 

10010100 

235 

R4 

167 

A7 

10100111 

236 

G 

242 

F2 

11110010 

237 

L 2 

13 

0D 

00001101 

238 

(3 

23 

17 

00010111 

239 

b13 

57 

39 

00111001 

240 

2^16 

75 

4B 

01001011 

241 

D2 

221 

DD 

11011101 

242 

c 

124 

7C 

01111100 

243 

k4 

132 

84 

10000100 

244 

S 

151 

97 

10010111 

245 

R2 

162 

A2 

10100010 

246 

L 

253 

FD 

11111101 

247 

b8 

28 

1C 

00011100 

248 

D 

36 

24 

00100100 

249 

k2 

108 

6C 

01101100 

250 

R 

180 

B4 

10110100 

251 

b4 

199 

C7 

11000111 

252 

k 

82 

52 

01010010 

253 

b2 

246 

F6 

11110110 

254 

b 

48 


D.3  Polynomial  Table 

Each  minimal  polynomial  over  GF( 2)  is  listed  as  a  bit  string  of  coefficients,  e.g.,  100011011 
means  x8  +  x4  +  x3  +  x  +  1  =  q(x).  Reversing  the  bit  string  corresponds  to  inverting  the 
roots;  the  ordering  is  in  such  pairs.  The  conjugate  roots  are  given  in  terms  of  logB;  the  first 
listed  is  given  the  name  shown.  The  “order”  is  in  the  multiplicative  subgroup,  e.g.,  y5  =  1. 


name 

polynomial 

order 

logs 

of  conjugates 

0 

10 

1 

— oo 

1 

11 

1 

0 

0 

111 

3 

85 

170 

a 

10011 

15 

17 

34 

68 

136 

P 

11001 

15 

238 

221 

187 

119 

7 

11111 

5 

51 

102 

204 

153 

A 

100011011 

51 

25 

50 

100 

200 

145 

35 

70 

140 

a 

110110001 

51 

230 

205 

155 

55 

110 

220 

185 

115 

B 

100011101 

255 

1 

2 

4 

8 

16 

32 

64 

128 

b 

101110001 

255 

254 

253 

251 

247 

239 

223 

191 

127 

C 

100101011 

255 

13 

26 

52 

104 

208 

161 

67 

134 

c 

110101001 

255 

242 

229 

203 

151 

47 

94 

188 

121 

D 

100101101 

255 

248 

241 

227 

199 

143 

31 

62 

124 

d 

101101001 

255 

7 

14 

28 

56 

112 

224 

193 

131 

E 

100111001 

17 

45 

90 

180 

105 

210 

165 

75 

150 

F 

100111111 

85 

27 

54 

108 

216 

177 

99 

198 

141 

f 

111111001 

85 

228 

201 

147 

39 

78 

156 

57 

114 

G 

101001101 

255 

236 

217 

179 

103 

206 

157 

59 

118 

9 

101100101 

255 

19 

38 

76 

152 

49 

98 

196 

137 

H 

101011111 

255 

37 

74 

148 

41 

82 

164 

73 

146 

h 

111110101 

255 

218 

181 

107 

214 

173 

91 

182 

109 

J 

101100011 

255 

23 

46 

92 

184 

113 

226 

197 

139 

j 

110001101 

255 

232 

209 

163 

71 

142 

29 

58 

116 

K 

101110111 

85 

3 

6 

12 

24 

48 

96 

192 

129 

k 

111011101 

85 

252 

249 

243 

231 

207 

159 

63 

126 

L 

101111011 

85 

246 

237 

219 

183 

111 

222 

189 

123 

l 

110111101 

85 

9 

18 

36 

72 

144 

33 

66 

132 

M 

110000111 

255 

212 

169 

83 

166 

77 

154 

53 

106 

m 

111000011 

255 

43 

86 

172 

89 

178 

101 

202 

149 

N 

110001011 

85 

21 

42 

84 

168 

81 

162 

69 

138 

n 

110100011 

85 

234 

213 

171 

87 

174 

93 

186 

117 

R 

110011111 

51 

250 

245 

235 

215 

175 

95 

190 

125 

r 

111110011 

51 

5 

10 

20 

40 

80 

160 

65 

130 

S 

111001111 

255 

244 

233 

211 

167 

79 

158 

61 

122 

s 

111100111 

255 

11 

22 

44 

88 

176 

97 

194 

133 

T 

111010111 

17 

15 

30 

60 

120 

240 

225 

195 

135 

49 


E  All  Possible  Bases 

The  following  table  shows  all  432  possible  combinations  of  bases  for  GF( 28),  GF( 24),  and 
GF( 22)  for  which  the  trace  is  unity  (r  =  T  =  1).  Each  subfield  basis  is  given  as  an  ordered 
pair;  if  the  second  entry  is  1  then  it  is  a  polynomial  basis,  otherwise  a  normal  basis.  The 
GF( 28)  basis  uses  roots  of  r(y)  =  y2  +y  +  is,  the  GF{ 24)  basis  uses  roots  of  s(z)  =  z2  +  z  +  N, 
where  v  and  N  are  the  respective  norms,  and  the  GF( 22)  basis  uses  roots  of  t(w)  =  w2  +  w+ 1. 

The  basis  and  norm  entries  use  the  naming  convention  summarized  in  Table  D.3.  Ex¬ 
plicitly,  in  terms  of  the  standard  AES  basis:  in  subfield  GF( 22),  D  =  189  =  OxBD;  in 
subheld  GF( 24),  a  =  225  =  OxEl,  /3  =  13  =  OxOD,  and  7  =  12  =  OxOC;  in  the  main  held, 
d  =  255  =  OxFF  and  L  =  162  =  0xA2. 

The  coefficients  C  and  D  of  v  with  respect  to  the  GF( 24)  basis  are  given  in  terms  of  N, 
as  is  the  root  w,  as  on  page  15. 

Under  “XOR  Gates,”  the  hrst  column  shows  the  number  of  XOR  gates  for  the  inverter; 
each  also  includes  36  AND’s.  For  bases  1-144,  this  number  includes  all  of  the  low-level 
optimizations  given  in  Section  4.4;  bases  145  and  beyond  use  a  polynomial  basis  for  GF( 28), 
and  for  those  cases  the  inverter  number  is  an  estimate  (except  for  8  cases  where  these 
optimizations  were  explicitly  included:  159,  177,  191,  209,  234,  252,  260,  and  278).  The 
last  three  columns  show  the  XOR’s  for  a  complete  S-box,  an  inverse  S-box,  and  a  merged 
combination  of  both  with  a  shared  inverter  (excluding  multiplexors);  each  would  also  have  36 
AND’s  and  possibly  a  few  NOT’s  (for  the  affine  transformation).  A  superscript  0  means  the 
basis  change  matrices  (8x8  for  the  separate  architecture,  16x8  for  the  merged  architecture) 
were  fully  optimized  by  the  tree-search  algorithm;  otherwise  they  were  factored  by  the  greedy 
algorithm. 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  28) 

GF(  24) 

GF(  22) 

V 

N 

C 

D 

w  = 

msi 

1 

[dw,  d] 

4 

[a  ,  a\ 

[fi2,ll] 

(3s 

Q 

N 2 

1 

N 

66 

99° 

94° 

122 

2 

[dw,  d] 

4 

or,  a 

[«,  i] 

(3* 

Q 

N2 

1 

N 

66 

94° 

93° 

119 

3 

[dw,  d) 

4 

a  ,  a 

[H2, 1] 

(3* 

o 

N 2 

1 

N2 

66 

94° 

92° 

116 

4 

[dw,  d] 

[ 

ct8,  a2 

(3* 

n2 

0 

N 2 

N 2 

66 

90° 

91° 

104° 

5 

[dw,  d) 

[ 

a8,  a2 

[«,  i] 

(3* 

n2 

0 

N 2 

N 2 

66 

92° 

92° 

109° 

6 

[dw,  d] 

[ 

a8,  a2} 

[ll2, 1] 

(3* 

n2 

0 

N 2 

N 

66 

92° 

94° 

113 

7 

[dw,  d] 

.01,1} 

[f22, 0] 

(3* 

n 

N 

N2 

N 

67 

98 

95 

119 

8 

[dw,  d] 

a,  1} 

[«,  i] 

(3* 

o 

N 

N 2 

N 

68 

97 

96 

117 

9 

[dw,  d] 

«,  1} 

[fl2, 1] 

(3* 

n 

N 

N 2 

N2 

68 

98 

95 

119 

10 

[dl\  d] 

a4, 1] 

[O2, 0] 

(3* 

Q 

N 

1 

N 

67 

95° 

94° 

117 

11 

[dw,  d] 

a4, 1] 

[f!,l] 

(3s 

0 

N 

1 

N 

67 

93° 

94° 

115 

12 

[dw,  d] 

a4, 1] 

[fi2,  1] 

(3* 

n 

N 

1 

N 2 

67 

94 

96 

118 

13 

[d1G,  d] 

[«2, 1] 

[fi2,fl] 

(3* 

n2 

N 2 

0 

N 2 

67 

91° 

92° 

114 

14 

[dw,  d) 

[«2, 1] 

[n,  i] 

(3* 

n2 

N2 

0 

N2 

67 

93° 

93° 

114 

15 

[dw,  d] 

[«2, 1] 

[fl2,  1] 

(3* 

n2 

N 2 

0 

N 

67 

94° 

95° 

118 

16 

[dw,  d) 

[a8, 1] 

[n2, 0] 

(3* 

n2 

N 2 

N 2 

N 2 

67 

91° 

93° 

111° 

17 

[dw,  d] 

[a8, 1] 

[«,  1] 

(3* 

n2 

N 2 

N 2 

N2 

67 

92° 

94° 

113 

18 

[dw,  d] 

[a8, 1] 

[H2, 1] 

(3* 

n2 

N 2 

N 2 

N 

67 

93° 

94° 

117 

19 

[d32,  d2} 

a4,  a] 

[H2,fl] 

(3 

n 

N 2 

0 

N 

66 

100 

101 

124 

20 

[d32,  d2} 

4 

a  ,a 

[«,  1] 

(3 

n 

N2 

0 

N 

66 

99 

100 

118 

21 

[d32,  d2) 

4 

a  ,  a 

[fi2, 1] 

(3 

n 

N2 

0 

N2 

66 

96 

99 

116 

22 

[d32,  d2} 

[ 

a8,  a2 

[fi2,fl] 

(3 

n2 

N 2 

1 

N2 

66 

96° 

97° 

116 

23 

[d32,  d2} 

[ 

a8,  a2 

[«,  1] 

(3 

n2 

N 2 

1 

N2 

66 

94° 

92° 

107° 

24 

[d32,  d2} 

[ 

a8,  a2] 

[fl2, 1] 

(3 

n2 

N 2 

1 

N 

66 

94° 

94° 

117 

25 

[d32,  d2} 

a,  1} 

[O2, 0] 

(3 

o 

N 2 

N 2 

N 

67 

101 

100 

121 

26 

[d32,  d2} 

a,  1} 

[M 

(3 

o 

N 2 

N 2 

N 

67 

97 

99 

122 

27 

[d32,  d2} 

«,  1} 

[fi2, 1] 

(3 

o 

N2 

N 2 

N2 

67 

100 

95 

121 

28 

[d32,  d2} 

a4, 1] 

[ll2,fl] 

(3 

n 

N2 

0 

N 

67 

99 

99 

122 

29 

[d32,  d2] 

a4, 1] 

[«,  1] 

(3 

n 

N 2 

0 

N 

67 

96° 

93° 

117 

30 

[d32,  d2} 

a4, 1] 

[H2, 1] 

(3 

n 

N 2 

0 

N 2 

67 

96 

98 

118 

31 

[d32,  d2) 

[«2, 1] 

[fi2,fl] 

(3 

n2 

N 

N 2 

N2 

67 

97 

98 

122 

32 

[d32,  d2} 

«2, 1] 

[«,  1] 

(3 

n2 

N 

N 2 

N 2 

68 

99 

94 

115 

33 

[d32,  d2} 

[«2, 1] 

[fi2, 1] 

(3 

n2 

N 

N 2 

N 

68 

103 

96 

120 

34 

[d32,  d2} 

[a8, 1] 

[fi2,fl] 

(3 

fi2 

N 

1 

N2 

67 

94° 

97° 

113 

35 

[d32,  d2} 

[a8, 1] 

[«,  1] 

(3 

n2 

N 

1 

N2 

67 

93° 

93° 

110° 

36 

[d32,  d2} 

[a8, 1] 

[fi2, 1] 

(3 

n2 

N 

1 

N 

67 

92° 

94° 

118 

°fully  optimized  results 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  28) 

GF(  24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

37 

[db\  d4} 

4 

[a  ,  aj 

[ll2,  fi] 

id2 

H 

1 

N 2 

N 

66 

94° 

93° 

115 

38 

[d64,  d4} 

4 

a  ,  a 

[11,1] 

(32 

H 

1 

N 2 

N 

66 

94° 

93° 

117 

39 

[d64,  d 4] 

4 

a  ,  a 

[n2,  i] 

P 2 

H 

1 

N 2 

N 2 

66 

95° 

92° 

113 

40 

[d64,  d4} 

[ 

a8,  a2 

[n2,  n] 

(32 

n2 

N2 

0 

N 2 

66 

96 

93 

117 

41 

[< d 64,  d 4] 

[ 

a8,  a2 

[«,  i] 

P 2 

n2 

N2 

0 

N 2 

66 

95 

98 

119 

42 

[d64,  d4} 

I 

a8,  a2] 

[n2,  i] 

(32 

n2 

N2 

0 

N 

66 

96 

100 

119 

43 

[cf4,  d 4] 

a,  i] 

[n2,  n] 

(32 

n 

N 

1 

N 

67 

92° 

90° 

113 

44 

[cf  4,  d4} 

a,  i] 

[!J,1] 

f32 

n 

N 

1 

N 

67 

91° 

92° 

107° 

45 

[cf  4,  d4] 

a,  i] 

[n2,  i] 

f32 

n 

N 

1 

N 2 

67 

91° 

91° 

109° 

46 

[d64,  d4] 

a4, 1] 

[n2,  n] 

P 2 

n 

N 

N 2 

N 

67 

97 

95 

120 

47 

[d64,  d4] 

a4, 1] 

[!J,1] 

(32 

n 

N 

N 2 

N 

68 

98 

96 

116 

48 

[d64,  d4] 

a4, 1] 

[n2,  i] 

P2 

n 

N 

N 2 

N 2 

68 

97 

99 

119 

49 

[d64,  d 4] 

[«2, 1] 

[n2,  n] 

P2 

n2 

N2 

N 2 

N 2 

67 

95 

95 

119 

50 

[d64,  rf4] 

[«2, 1] 

[n,i] 

P2 

n2 

N 2 

N 2 

N2 

67 

93 

97 

109° 

51 

[d64,  d4] 

[«2, 1] 

[n2,  i] 

P2 

n2 

N2 

N2 

N 

67 

94° 

96° 

118 

52 

[d64,  tf4] 

[a8, 1] 

[n2,  n] 

P2 

n2 

N2 

0 

N 2 

67 

95° 

95° 

117 

53 

[d64,  tf4] 

[a8, 1] 

[n,  i] 

P2 

n2 

N2 

0 

N 2 

67 

94 

95 

115 

54 

[d64,  rf4] 

[«8, 1] 

[n2,  i] 

P2 

n2 

N2 

0 

N 

67 

96 

97 

115 

55 

[d128,  rf8] 

a4,  a] 

[n2,  n] 

P4 

n 

0 

N2 

N 

66 

95 

98 

122 

56 

[d128,  d8' 

4 

a  ,  a 

[«,  i] 

P4 

n 

0 

N 2 

N 

66 

96 

98 

122 

57 

[d128,  d8] 

4 

a  ,  a 

[n2,  i] 

P4 

n 

0 

N 2 

N2 

66 

95 

98 

118 

58 

[d128,  d8] 

7 

a8,  a2 

[n2,  n] 

P4 

n2 

1 

N2 

N 2 

66 

96° 

96° 

115 

59 

[d128,  d8} 

[ 

a8,  a2 

[«,  i] 

P4 

n2 

1 

N 2 

N 2 

66 

97 

99 

119 

60 

00 

00 

(M 

2, 

[ 

n8,  a2] 

[n2,  i] 

P4 

n2 

1 

N 2 

N 

66 

96 

98 

114 

61 

[rf128,  d8} 

a,  i] 

[n2,  n] 

P4 

n 

N2 

0 

N 

67 

97 

99 

119 

62 

00 

"Q 

00 

(M 

2, 

a,  i] 

[«,  i] 

P4 

n 

N2 

0 

N 

67 

94° 

96° 

116 

63 

[d128,  d8 

a,  i] 

[n2,  i] 

P4 

n 

N 2 

0 

N 2 

67 

99 

99 

119 

64 

[d128,  d8 

a4, 1] 

[n2,  n] 

P4 

n 

N 2 

N 2 

N 

67 

98 

100 

120 

65 

[d128,  d8} 

a4, 1] 

[fi,i] 

P4 

n 

N2 

N2 

N 

67 

95° 

95° 

118 

66 

[d128,  d8' 

a4, 1] 

[n2,  i] 

P4 

n 

N2 

N 2 

N 2 

67 

97 

97 

120 

67 

[d128,  d8' 

[«2, 1] 

[n2,  n] 

P4 

n2 

N 

1 

N 2 

67 

98 

98 

121 

68 

[d128,  d8' 

[«2, 1] 

[fi,i] 

P4 

n2 

N 

1 

N 2 

67 

94° 

93° 

119 

69 

[d128,  d8' 

[«2, 1] 

[n2,  i] 

P4 

n2 

N 

1 

N 

67 

101 

100 

123 

70 

[d128,  d8} 

[a8, 1] 

[n2,  n] 

P 4 

n2 

N 

N 2 

N2 

67 

99 

99 

122 

71 

[d128,  d8} 

[«8, 1] 

[S2,l] 

P4 

n2 

N 

N2 

N 2 

68 

100 

99 

124 

72 

[dr28,  d8} 

K,  1] 

[n2,  i] 

P4 

n2 

N 

N 2 

N 

68 

102 

100 

119 

“fully  optimized  results 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  28) 

GF(24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

73 

[L16,L\ 

4 

[a  ,  aj 

[H2,  fi] 

72 

H 

0 

N 

N 

66 

94° 

93° 

117 

74 

[Lm,L\ 

'  4 

or,  a 

[«,  i] 

72 

H 

0 

N 

N 

66 

98 

96 

120 

75 

[L16,L] 

'  4 

or,  ck 

[H2, 1] 

72 

H 

0 

N 

N 2 

66 

96° 

93° 

119 

76 

[L16,L] 

'  [ 

ct8,  a2 

] 

[ii2,  n] 

72 

n2 

N 

1 

N2 

66 

92° 

93° 

115 

77 

[L16,L] 

'  [ 

ct8,  a2 

] 

[ii,i] 

72 

n2 

N 

1 

N2 

66 

93° 

94° 

119 

78 

[L16,L] 

;i 

ct8,  a2] 

[n2,  i] 

72 

n2 

N 

1 

N 

66 

93° 

95° 

117 

79 

[Lm,L\ 

a,  i] 

[n2,  n] 

72 

n 

N 

0 

N 

67 

93° 

92° 

114 

80 

[Lm,L\ 

a,  i] 

[«,  i] 

72 

n 

N 

0 

N 

67 

92° 

93° 

116 

81 

[Lm,L\ 

a,  i] 

[n2,  i] 

72 

n 

N 

0 

N 2 

67 

94° 

93° 

115 

82 

[L16,L] 

a4, 1] 

[n2,  n] 

72 

n 

N 

N 

N 

67 

94° 

96° 

116 

83 

[L16,L] 

a4, 1] 

[!J,1] 

72 

n 

N 

N 

N 

67 

94° 

93° 

116 

84 

[L16,L] 

a4, 1] 

[n2,  i] 

72 

n 

N 

N 

N2 

67 

93° 

94° 

115 

85 

[L16,L] 

[«2, 1] 

[n2,  n] 

72 

n2 

N 2 

N 

N2 

67 

92° 

93° 

113 

86 

[Lm,L\ 

[«2, 1] 

[n,  i] 

72 

n2 

N 2 

N 

N2 

67 

92° 

94° 

116 

87 

[Lm,L\ 

[«2, 1] 

[n2,  i] 

72 

n2 

N2 

N 

N 

67 

93° 

95° 

117 

88 

[Lm,L\ 

[a8, 1] 

[n2,  n] 

72 

n2 

N 2 

1 

N 2 

67 

94° 

94° 

113 

89 

[L16,L] 

[a8, 1] 

[«,  i] 

72 

n2 

N 2 

1 

N2 

68 

92° 

92° 

115 

90 

[L16,L] 

K,  1] 

[n2,  i] 

72 

n2 

N 2 

1 

N 

67 

93 

94 

115 

91 

[L32,  L2} 

a4,  a] 

[n2,  n] 

74 

n 

1 

N 

N 

66 

96° 

95° 

119 

92 

[L32,  L2 

'  4 

a  ,  a 

[n,  i] 

74 

n 

1 

N 

N 

66 

99 

96 

121 

93 

[L32,  L2 

‘  4 
a  ,  Qf 

[n2,  i] 

74 

n 

1 

N 

N2 

66 

99 

97 

118 

94 

[L32,  L2 

1 

00 

p 

to 

] 

[n2,  n] 

74 

n2 

0 

N 

N 2 

66 

94° 

94° 

113 

95 

[L32,  L 2 

'  t 

a8,  a2 

] 

[«,  i] 

74 

n2 

0 

N 

N2 

66 

95 

97 

118 

96 

[L32,  L 2 

'  t 

P 

00 

p 

to 

[n2,  i] 

74 

n2 

0 

N 

N 

66 

93° 

95° 

119 

97 

[L32,  L 2 

a,  i] 

[n2,  n] 

74 

n 

N2 

1 

N 

67 

101 

100 

125 

98 

[L32,  L2 

a,  i] 

[«,  i] 

74 

n 

N 2 

1 

N 

67 

98 

100 

124 

99 

[L32,  L2 

a,  i] 

[n2,  i] 

74 

n 

N 2 

1 

N 2 

68 

100 

101 

122 

100 

[L32,  L2 

a4, 1] 

[n2,  n] 

74 

n 

N 2 

N 

N 

67 

92° 

93° 

117 

101 

[L32,  L2 

a4, 1] 

i«,  i] 

74 

n 

N2 

N 

N 

67 

97 

96 

120 

102 

[L32,  L2 

a4, 1] 

[n2,  i] 

74 

n 

N 2 

N 

N2 

67 

97 

99 

122 

103 

[L32,  L2 

[«2, 1] 

[n2,  n] 

74 

n2 

N 

0 

N2 

67 

97 

98 

121 

104 

[L32,  L2 

[«2, 1] 

P,  i] 

74 

n2 

N 

0 

N2 

67 

94° 

96° 

118 

105 

[L32,  L 2 

[«2, 1] 

[n2,  i] 

74 

n2 

N 

0 

N 

67 

96 

97 

119 

106 

[L32,  L2 

[a8, 1] 

[n2,  n] 

74 

n2 

N 

N 

N2 

67 

97 

101 

121 

107 

[L32,  L2 

[«8, 1] 

i«,i] 

74 

n2 

N 

N 

N 2 

67 

96° 

95° 

116 

108 

[L32,  L2 

[«8, 1] 

[n2,  i] 

74 

n2 

N 

N 

N 

67 

98 

98 

118 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  2s) 

CF(24) 

GF(  22) 

V 

IV 

c 

D 

w  = 

Both 

109 

[L64,  L4] 

N 

0 

N 

66 

91° 

93° 

114 

110 

[L64,  L4 

'  4 

a  ,  ck 

[n,i] 

T 

ft 

N 

0 

N 

66 

91° 

92° 

113 

111 

[L64,  L4 

‘  4 
a  ,  Qf 

[H2,  1] 

78 

ft 

N 

0 

N2 

66 

91° 

93° 

108° 

112 

[L64,  L4 

[ 

ct8,  a2 

] 

[n2,  n] 

78 

ft2 

1 

N 

N2 

66 

93° 

90° 

114 

113 

[L64,  L4 

[ 

ct8,  a2 

] 

[«,  i] 

78 

ft2 

1 

N 

N2 

66 

94° 

90° 

109° 

114 

[L64,  L4 

[ 

ct8,  a2] 

[ii2,  i] 

78 

ft2 

1 

N 

N 

66 

91° 

90° 

108° 

115 

[L64,  L4 

.01,1} 

[ii2,  n\ 

78 

ft 

N 

N 

N 

67 

94° 

96° 

115 

116 

[L64,  L4 

a,  i] 

[«,  i] 

78 

ft 

N 

N 

N 

67 

93° 

94° 

115 

117 

[L64,  L4 

a,  i] 

[n2,  i] 

78 

ft 

N 

N 

N2 

67 

92° 

94° 

109° 

118 

[L64,  L4 

a4, 1] 

[n2,  n] 

78 

ft 

N 

0 

N 

67 

93 

96 

113 

119 

[L64,  L4 

a4, 1] 

[f!,l] 

78 

ft 

N 

0 

N 

67 

93° 

93° 

118 

120 

[L64,  L4 

a4, 1] 

[O2,  1] 

78 

ft 

N 

0 

N2 

67 

92° 

93° 

116 

121 

[L64,  L4 

[«2, 1] 

[H2,  ft] 

78 

ft2 

N2 

1 

N2 

67 

98 

94 

119 

122 

[L64,  L4 

[«2, 1] 

[n,  i] 

78 

ft2 

N2 

1 

N2 

68 

95° 

93° 

114 

123 

[L64,  L4 

[«2, 1] 

[ft2,  1] 

78 

ft2 

N2 

1 

N 

67 

95° 

93° 

116 

124 

[L64,  L4 

[a8, 1] 

[ft2,  ft] 

78 

ft2 

N2 

N 

N2 

67 

95 

94 

115 

125 

[L64,  L4 

[a8, 1] 

[f!,l] 

78 

ft2 

N2 

N 

N2 

67 

93° 

90° 

110° 

126 

[L64,  L4} 

[a8, 1] 

[ft2,  1] 

78 

ft2 

N2 

N 

N 

67 

94° 

92° 

116 

127 

[L128,  L8] 

a4,  a] 

[ft2,  ft] 

7 

ft 

N 

1 

N 

66 

96° 

97° 

119 

128 

[L128,  L8] 

'  4 

a  ,  a 

[f!,l] 

7 

ft 

N 

1 

N 

66 

97 

100 

119 

129 

[L128,  L8] 

‘  4 

a  ,  ck 

[ft2,  1] 

7 

ft 

N 

1 

N2 

66 

100 

101 

121 

130 

[L128,  L8] 

[ 

a8,  a2 

] 

[ft2,  ft] 

7 

ft2 

N 

0 

N2 

66 

92° 

91° 

115 

131 

[L128,  L8] 

[ 

a8,  a2 

] 

[«,  1] 

7 

ft2 

N 

0 

N2 

66 

94° 

95° 

120 

132 

[L128,  L8] 

[ 

ct8,  a2] 

[ft2,  1] 

7 

ft2 

N 

0 

N 

66 

92° 

95° 

116 

133 

[L128,  L8] 

a,  i] 

[ft2,  ft] 

7 

ft 

N2 

N 

N 

67 

99 

101 

120 

134 

[L128,  L8] 

a,  i] 

[f!,l] 

7 

ft 

N2 

N 

N 

67 

98 

99 

119 

135 

[L128,  L8] 

a,  i] 

[ft2,  1] 

7 

ft 

N2 

N 

N2 

67 

99 

100 

121 

136 

[L128,  L8] 

a4, 1] 

[ft2,  ft] 

7 

ft 

N2 

1 

N 

67 

101 

99 

123 

137 

[L128,  L8] 

a4, 1] 

[«,  1] 

7 

ft 

N2 

1 

N 

67 

98 

99 

122 

138 

[L128,  L8] 

a4, 1] 

[ft2,  1] 

7 

ft 

N2 

1 

N2 

68 

100 

101 

126 

139 

[L128,  L8] 

[«2, 1] 

[ft2,  ft] 

7 

ft2 

N 

N 

N2 

67 

97 

102 

119 

140 

[L128,  L8] 

a2, 1] 

[«,  1] 

7 

ft2 

N 

N 

N2 

67 

97 

100 

120 

141 

[L128,  L8] 

[«2, 1] 

[ft2,  1] 

7 

ft2 

N 

N 

N 

67 

100 

100 

122 

142 

[L128,  L8] 

[a8, 1] 

[ft2,  ft] 

7 

ft2 

N 

0 

N2 

67 

95° 

94° 

116 

143 

[L128,  L8] 

[a8, 1] 

[«,  1] 

7 

ft2 

N 

0 

N2 

67 

95° 

97° 

119 

144 

[L128,  L8] 

[a8, 1] 

[ft2,  1] 

7 

ft2 

N 

0 

N 

67 

96 

98 

117 

“fully  optimized  results 


54 


Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  2s) 

GF(24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

145 

[d,  1] 

K&l 

[n2,  fi] 

id8 

n 

N 2 

1 

N 

72 

100° 

98° 

122 

146 

MB 

i 

2  ^ 

1 

[«,i] 

(38 

n 

N2 

1 

N 

72 

100 

99 

122 

147 

4 

a  ,  Of 

[n2,  i] 

(38 

n 

N 2 

1 

N 2 

72 

97° 

97° 

121 

148 

i 

ct8,  a2 

1 

[n2,  fi] 

(38 

n2 

0 

N2 

N 2 

72 

96° 

97° 

115 

149 

l'«B 

B 

ct8,  a2 

1 

[!2,1] 

t 3 8 

n2 

0 

N2 

N 2 

72 

97° 

99° 

112° 

150 

Id,  1] 

I 

ct8,  a2] 

[fi2,  1] 

(38 

n2 

0 

N2 

N 

72 

98 

100 

119 

151 

pa] 

a,i] 

[n2,  n\ 

(38 

n 

N 

N2 

N 

73 

101° 

98° 

123 

152 

[rf.i] 

a,i] 

[!2,1] 

(38 

n 

N 

N2 

N 

74 

100° 

99° 

117 

153 

pa] 

a,i] 

[fi2,  1] 

P 8 

o 

N 

N 2 

N 2 

74 

99° 

98° 

120 

154 

pa] 

a4, 1] 

[n2,  n] 

(38 

o 

N 

1 

N 

73 

97° 

97° 

123 

155 

[<U] 

a4, 1] 

[!2,1] 

(38 

n 

N 

1 

N 

73 

97° 

96° 

120 

156 

[<U] 

a4, 1] 

[fi2,  1] 

(38 

n 

N 

1 

N 2 

73 

99° 

100° 

124 

157 

M,  i] 

[«2, 1] 

[n2,  n\ 

P 8 

n2 

N 2 

0 

N 2 

73 

99 

100 

116 

158 

[d,  1] 

[«2, 1] 

[U,1] 

P 8 

n2 

N 2 

0 

N 2 

73 

97° 

98° 

118 

159 

[d,  1] 

[«2, 1] 

[fi2, 1] 

(38 

n2 

N2 

0 

N 

73 

98° 

101° 

121 

160 

[d,  1] 

[a8, 1] 

[n2,  n] 

P 8 

n2 

N2 

N 2 

N 2 

73 

97° 

95° 

117 

161 

[d,  1] 

[a8, 1] 

l 3 8 

n2 

N 2 

N2 

N 2 

73 

96° 

96° 

116 

162 

[d,  1] 

[a8, 1] 

[fi2,  1] 

l 3 8 

n2 

N 2 

N2 

N 

73 

100 

99 

122 

163 

K6,  i] 

a4,  a] 

[n2,  n] 

l 3 8 

n 

N 2 

1 

N 

72 

104 

103 

127 

164 

Ke,  i] 

4 

a  ,  a 

(38 

n 

N 2 

1 

N 

72 

101° 

99° 

124 

165 

K6,  i] 

4 

a  ,  a 

[fi2,  1] 

f38 

n 

N 2 

1 

N 2 

72 

104 

101 

128 

166 

K6,  i] 

1 

a8,  a2 

[n2,  n] 

(3s 

n2 

0 

N 2 

N 2 

72 

97° 

98° 

117 

167 

K6,  i] 

[ 

a8,  a2 

(38 

n2 

0 

N2 

N 2 

72 

98 

102 

119 

168 

K6,  i] 

[ 

a8,  a2} 

[fl2,  1] 

(38 

n2 

0 

N2 

N 

72 

100° 

98° 

120 

169 

K6,  i] 

a,i] 

[n2,  n] 

(38 

o 

N 

N2 

N 

73 

100 

99 

122 

170 

K6,  i] 

a,1] 

f38 

n 

N 

N2 

N 

74 

105 

103 

125 

171 

K6,  i] 

a,i] 

[fi2,  1] 

(38 

n 

N 

N 2 

N 2 

74 

104 

105 

128 

172 

K6,  i] 

a4, 1] 

[n2,  n\ 

(38 

n 

N 

1 

N 

73 

103 

104 

125 

173 

K6,  i] 

a4, 1] 

[!2,1] 

(38 

o 

N 

1 

N 

73 

99° 

101° 

124 

174 

K6,  i] 

a4, 1] 

[fi2,  1] 

(38 

n 

N 

1 

N 2 

73 

103 

103 

125 

175 

K6,  i] 

[«2, 1] 

[fi2,  Q] 

(38 

n2 

N 2 

0 

N 2 

73 

101 

98 

121 

176 

K6,  i] 

[«2, 1] 

[!J,1] 

(38 

n2 

N 2 

0 

N 2 

73 

99° 

100° 

120 

177 

K6,  i] 

[«2, 1] 

[fi2,  1] 

(38 

n2 

N 2 

0 

N 

73 

100° 

101° 

120 

178 

K6,  i] 

[a8, 1] 

[n2,  n\ 

(38 

n2 

N 2 

N 2 

N 2 

73 

98° 

99° 

121 

179 

K6,  i] 

[a8, 1] 

[!2,1] 

(38 

n2 

N2 

N 2 

N 2 

73 

99° 

101° 

121 

180 

K6,  i] 

[a8, 1] 

[fi2,  1] 

(38 

n2 

N2 

N2 

N 

73 

100° 

99° 

122 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  2s) 

GF(  24) 

GF(22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

181 

[d2, 1] 

4 

[a  ,  a\ 

to 

JO 

P 

H 

N 2 

0 

N 

72 

102 

102 

124 

182 

[d'P 1] 

4 

a  ,  a 

[n,i] 

P 

H 

N2 

0 

N 

72 

102 

102 

183 

[d2, 1] 

4 

a  ,  a 

[fi2,  i] 

P 

n 

N2 

0 

N 2 

72 

99° 

100° 

184 

[d2, 1] 

[ 

a8,  a2 

[S22, 11] 

P 

n2 

N2 

1 

N 2 

72 

98 

100 

185 

[d2, 1] 

[ 

a8,  a2 

[«,  i] 

P 

n2 

N2 

1 

N 2 

72 

98 

100 

186 

[d\  1] 

[ 

a8,  a2} 

[n2,  i] 

P 

n2 

N2 

1 

N 

72 

96° 

99° 

187 

[d2, 1] 

a,  1} 

[S22, 11] 

P 

n 

N2 

N 2 

N 

73 

103 

105 

125 

188 

[d2, 1] 

a,l] 

[«,  i] 

P 

n 

N 2 

N2 

N 

73 

103 

101 

122 

189 

[d2, 1] 

'<*,  1] 

[n2,  i] 

P 

n 

N 2 

N2 

N 2 

73 

100° 

102° 

125 

190 

[d2, 1] 

a4, 1] 

[n2,  n] 

P 

n 

N2 

0 

N 

73 

102 

106 

124 

191 

[d2, 1] 

a4, 1] 

[!J,1] 

P 

n 

N2 

0 

N 

73 

101° 

101° 

126 

192 

[d2, 1] 

a4, 1] 

[n2,  i] 

P 

n 

N2 

0 

N 2 

73 

105 

104 

126 

193 

[d2, 1] 

[«2, 1] 

[n2,  n] 

P 

n2 

N 

N2 

N 2 

73 

102 

104 

123 

194 

[d2, 1] 

[«2, 1] 

[«,i] 

P 

n2 

N 

N 2 

N2 

74 

101° 

99° 

120 

195 

[d2, 1] 

[«2, 1] 

[n2,  i] 

P 

n2 

N 

N 2 

N 

74 

104 

104 

127 

196 

[d2, 1] 

K,  i] 

[n2,  n] 

P 

n2 

N 

1 

N 2 

73 

99 

100 

121 

197 

[d2, 1] 

K,  i] 

[«,  i] 

P 

n2 

N 

1 

N2 

73 

97° 

97° 

116 

198 

[d2, 1] 

[«8, 1] 

[n2,  i] 

P 

n2 

N 

1 

N 

73 

102 

99 

124 

199 

1] 

a4,  a] 

[n2,  n] 

P 

n 

N2 

0 

N 

72 

104 

105 

130 

■ 

2  ^ 

1 

m 

n 

N2 

0 

N 

72 

104 

100 

126 

201 

[d32, 1] 

4 

a  ,  a 

[H2, 1] 

P 

n 

N 2 

o 

N2 

72 

103 

103 

125 

[d32, 1] 

[ 

a8,  a2 

i 

n2 

N 2 

1 

N 2 

72 

99 

99 

121 

[d32, 1] 

[ 

n8,  a2 

1 

n2 

N2 

1 

N 2 

72 

96° 

97° 

116 

[d32, 1] 

[ 

n2 

N2 

1 

N 

72 

99° 

99° 

123 

[d32, 1] 

[HSU 

n 

N2 

N 2 

N 

73 

100° 

99° 

125 

a,  i] 

n 

N2 

N 2 

N 

73 

102° 

99° 

121 

207 

[d3\  1] 

[a,l] 

[n2,  i] 

P 

n 

N 2 

N 2 

N2 

73 

102 

103 

125 

208 

[d32, 1] 

a4, 1] 

[n2,  n] 

P 

n 

N 2 

0 

N 

73 

100° 

103° 

128 

209 

[d32, 1] 

a4, 1] 

[n,  i] 

P 

n 

N2 

0 

N 

100° 

99° 

120 

210 

[d32, 1] 

a4, 1] 

[n2,  i] 

P 

n 

N2 

0 

N 2 

104 

101 

122 

211 

[d32, 1] 

[«2, 1] 

[n2,  n] 

P 

n2 

N 

N2 

N 2 

102 

103 

127 

212 

[d32, 1] 

[«2, 1] 

[n,i] 

P 

n2 

N 

N 2 

N 2 

104 

101 

125 

213 

[d32, 1] 

[«2, 1] 

[n2,  i] 

P 

n2 

N 

N 2 

N 

74 

104 

102 

125 

214 

[d32, 1] 

[«8, 1] 

[n2,  n] 

P 

n2 

N 

1 

N2 

73 

98° 

100° 

124 

215 

[d32, 1] 

[«8, 1] 

[S2,l] 

P 

n2 

N 

1 

N 2 

73 

99° 

97° 

121 

216 

[d32, 1] 

K,  1] 

[n2,  i] 

P 

n2 

N 

1 

N 

73 

98° 

99° 

125 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  28) 

GF(24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

217 

[d\  1] 

WMB 

[n2,  fi] 

(32 

fl 

1 

N 2 

N 

72 

100° 

100° 

123 

218 

fum 

i 

1 

[!2,1] 

t 3 2 

fl 

1 

N2 

N 

72 

101° 

99° 

121 

219 

SKI 

4 

a  ,  a 

[fl2,  1] 

(32 

fl 

1 

N2 

N 2 

72 

100° 

O 

00 

120 

220 

1  Mi: 

i 

ct8,  a2 

1 

[fl2,  fl] 

(32 

fl2 

N 2 

0 

N 2 

72 

98° 

99° 

123 

221 

sera 

B 

ct8,  a2 

1 

[!i,l] 

f32 

fl2 

N 2 

0 

N 2 

72 

102 

102 

120 

222 

[d\  l] 

I 

ct8,  a2] 

[fl2,  1] 

(32 

fl2 

N 2 

0 

N 

72 

98° 

101° 

122 

223 

[d\  l] 

a,i] 

[fl2,  fl] 

l 3 2 

fl 

N 

1 

N 

73 

100 

100 

122 

224 

K  i] 

a,!] 

[S2,l] 

t 3 2 

fl 

N 

1 

N 

73 

97° 

98° 

114° 

225 

IKI 

m 

[fl2,  1] 

/ 3 2 

fl 

N 

1 

N 2 

73 

100° 

msm 

118 

226 

IKS 

[fl2,  fl] 

P2 

fl 

N 

N2 

N 

73 

99° 

101° 

122 

227 

IKI 

WL 

[!2,1] 

P2 

fl 

N 

N2 

N 

74 

103 

104 

124 

228 

1KB 

5HB1 

[fl2,  1] 

P2 

fl 

N 

N2 

N 2 

74 

106 

123 

229 

[d\  1] 

[«2,  i] 

[fl2,  fl] 

P2 

fl2 

N 2 

N2 

N 2 

73 

100 

101 

126 

230 

[d\  1] 

[«2,  i] 

[Sl,l] 

P2 

fl2 

N 2 

N 2 

N 2 

73 

98 

102 

120 

231 

[d\  1] 

[«2,  i] 

[fl2,  1] 

P2 

fl2 

N 2 

N2 

N 

73 

100° 

124 

232 

MKB 

EIM 

[fl2,  fl] 

P2 

fl2 

N 2 

0 

N 2 

73 

100° 

98° 

120 

233 

1K& 

[!i,l] 

P2 

fl2 

N 2 

0 

N 2 

73 

97° 

O 

00 

122 

234 

SKI 

[fl2,  1] 

P2 

fl2 

N 2 

0 

N 

73 

102° 

100° 

124 

235 

M64, 1] 

1 

[fl2,  fl] 

P2 

fl 

1 

N2 

N 

72 

100 

100 

118 

236 

[d04, 1] 

1 

]S*  ^  ■ 

[S2,l] 

p2 

fl 

1 

N2 

N 

72 

100 

99 

118 

237 

[d6\  1] 

[fl2,  1] 

P2 

fl 

1 

N 2 

N 2 

72 

99 

99 

123 

238 

cam 

B 

ggg 

1 

[fl2,  fl] 

P2 

fl2 

N 2 

0 

N 2 

72 

100 

100 

122 

239 

in 

B 

1 

[!2,1] 

P2 

fl2 

N 2 

0 

N 2 

72 

96° 

99° 

117 

240 

nn 

[fl2,  1] 

P2 

fl2 

N 2 

0 

N 

72 

99 

100 

123 

241 

nn 

fl 

lEMM 

[fl2,  fl] 

P2 

fl 

N 

1 

N 

73 

96° 

96° 

116 

242 

®BS 

SB 

[S2,l] 

P2 

fl 

N 

1 

N 

73 

98° 

96° 

116 

243 

M64, 1] 

a,i] 

[fl2,  1] 

p2 

fl 

N 

1 

N 2 

73 

97° 

98° 

119 

244 

M64, 1] 

a4, 1] 

[fl2,  fl] 

P2 

fl 

N 

73 

103 

101 

120 

245 

IB 

8SMB 

[!2,1] 

P2 

fl 

N 

N 2 

N 

74 

100° 

102° 

121 

246 

M 

9B8 

[fl2,  1] 

P2 

fl 

N 

N2 

N 2 

74 

102 

102 

119 

247 

■Earn 

[fl2,  fl] 

P2 

fl2 

N 2 

N2 

N 2 

73 

101 

100 

124 

248 

lira 

"Ml 

[!i,l] 

P2 

fl2 

N 2 

N2 

N 2 

73 

97° 

97° 

116 

249 

[dM,  1] 

[«2,  1] 

[fl2,  1] 

P2 

fl2 

N 2 

N2 

N 

73 

98° 

100° 

121 

250 

[d6\  1] 

[a8, 1] 

[fl2,  fl] 

P2 

fl2 

N 2 

98° 

120 

251 

[dG\  1] 

[a8, 1] 

[S2,l] 

P2 

fl2 

N 2 

N 2 

73 

97° 

97° 

116 

252 

[d6\  1] 

[a8, 1] 

[fl2,  1] 

P2 

fl2 

N 2 

0 

N 

73 

99° 

99° 

115° 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  28) 

GF(  24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

253 

[d8,  1] 

4 

[a  ,  aj 

[ft2,  ft] 

(34 

ft 

0 

N 2 

N 

72 

102 

104 

125 

254 

dS,  1] 

4 

or,  a 

[!2,1] 

P4 

ft 

0 

N2 

N 

72 

102 

104 

126 

255 

d8, 1] 

4 

or,  a 

[112,1] 

P 4 

ft 

0 

N2 

N 2 

72 

100° 

102° 

126 

256 

d8, 1] 

[ 

a8,  a2 

[ft2,  ft] 

P 4 

ft2 

1 

N2 

N 2 

72 

100° 

100° 

120 

257 

d8, 1] 

[ 

a8,  a2 

[M 

P 4 

ft2 

1 

N2 

N 2 

72 

102 

101 

119 

258 

d8, 1] 

I 

a8,  a2] 

[ft2,i] 

P 4 

ft2 

1 

N2 

N 

72 

100 

99 

117 

259 

d8, 1] 

a,i] 

[ft2,  ft] 

P 4 

ft 

N 2 

0 

N 

73 

100° 

100° 

122 

260 

[d\  1] 

a,i] 

[!2,1] 

/34 

ft 

N2 

0 

N 

73 

101° 

101° 

123 

261 

d8, 1] 

a,i] 

[ft2,l] 

P 4 

ft 

N2 

0 

N2 

73 

102 

104 

125 

262 

d8,l] 

a4, 1] 

[ft2,  ft] 

/34 

ft 

N 2 

N2 

N 

73 

103 

102 

126 

263 

d8, 1] 

a4, 1] 

/34 

ft 

N 2 

N2 

N 

73 

99° 

101° 

128 

264 

d8,l] 

a4, 1] 

[ft2,l] 

/34 

ft 

N 2 

N2 

N 2 

73 

103 

105 

127 

265 

d8, 1] 

[«24] 

[ft2,  ft] 

/34 

ft2 

N 

1 

N 2 

73 

105 

101 

124 

266 

d8, 1] 

[«24] 

[ft,  1] 

/34 

ft2 

N 

1 

N 2 

73 

100° 

98° 

119 

267 

d8, 1] 

[«24] 

[ft2,l] 

/34 

ft2 

N 

1 

N 

73 

102 

104 

120 

268 

A  i] 

[a8, 1] 

[ft2,  ft] 

/34 

ft2 

N 

N2 

N2 

73 

102 

102 

120 

269 

d8, 1] 

[a8, 1] 

/34 

ft2 

N 

N2 

N 2 

74 

102 

104 

128 

270 

[A  1] 

[a8, 1] 

[ft2,l] 

P 4 

ft2 

N 

N2 

N 

74 

104 

104 

128 

271 

[■ d128 , 1] 

a4,  a] 

[ft2,  ft] 

/34 

ft 

0 

N2 

N 

72 

99° 

99° 

122 

272 

[d128,  1] 

4 

a  ,  a 

[ft,  1] 

/34 

ft 

0 

N2 

N 

72 

101° 

99° 

124 

273 

[d128, 1] 

4 

a  ,  Of 

[ft2,l] 

/34 

ft 

0 

N2 

N 2 

72 

100° 

100° 

122 

274 

[d128, 1] 

7 

a8,  a2 

[ft2,  ft] 

/34 

ft2 

1 

N 2 

N2 

72 

105 

99 

124 

275 

[d128,  1] 

[ 

ct8,  a2 

[!i,l] 

/34 

ft2 

1 

N2 

N 2 

72 

99° 

101° 

120 

276 

[d128,  1] 

[ 

a8,  a2] 

[ft2,l] 

/34 

ft2 

1 

N2 

N 

72 

103 

104 

126 

277 

[d128, 1] 

a,i] 

[ft2,  ft] 

/34 

ft 

N 2 

0 

N 

73 

103 

103 

125 

278 

[d128, 1] 

a,i] 

[f!,l] 

/34 

ft 

N 2 

0 

N 

73 

101° 

101° 

122 

279 

[dr2S,  1] 

a,i] 

[ft2,l] 

P 4 

ft 

N 2 

0 

N 2 

73 

103 

105 

125 

280 

[d128, 1] 

a4, 1] 

[ft2,  ft] 

/34 

ft 

N 2 

N 2 

N 

73 

103 

103 

125 

281 

[d128, 1] 

a4, 1] 

[f!,l] 

/34 

ft 

N 2 

N2 

N 

73 

102° 

100° 

122 

282 

[d128, 1] 

a4, 1] 

[ft2,l] 

P4 

ft 

N 2 

N2 

N 2 

73 

104 

104 

126 

283 

[d128, 1] 

[«2,1] 

[ft2,  ft] 

P4 

ft2 

N 

1 

N 2 

73 

103 

102 

125 

284 

[d128, 1] 

[«24] 

[f!,l] 

P4 

ft2 

N 

1 

N 2 

73 

99° 

98° 

121 

285 

[d128, 1] 

[«24] 

[ft2,l] 

P4 

ft2 

N 

1 

N 

73 

103 

105 

126 

286 

[d128, 1] 

[a8, 1] 

[ft2,  ft] 

P4 

ft2 

N 

N2 

N 2 

73 

100° 

100° 

123 

287 

[d128, 1] 

[a8, 1] 

[!2,1] 

P4 

ft2 

N 

N 2 

N2 

74 

104 

103 

125 

288 

[d128, 1] 

[a8, 1] 

[ft2,l] 

P4 

ft2 

N 

N 2 

N 

74 

105 

105 

127 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  2s) 

GF(  24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

289 

IM 

4 

[or,  aj 

[n2,  n\ 

72 

H 

0 

N 

N 

72 

99° 

100° 

125 

290 

(M 

4 

a  ,  a 

[fi,i] 

72 

H 

0 

N 

N 

72 

98° 

98° 

120 

291 

(M 

4 

a  ,  a 

[n2,  i] 

72 

H 

0 

N 

N 2 

72 

102 

102 

126 

292 

[L,  1] 

[ 

ct8,  a2 

[n2,  n\ 

72 

n2 

N 

1 

N 2 

72 

98° 

98° 

119 

293 

(M 

[ 

ct8,  a2 

[ii,i] 

72 

n2 

N 

1 

N 2 

72 

96° 

96° 

116 

294 

[i,i] 

i 

ct8,  a2] 

[n2,  i] 

72 

n2 

N 

1 

N 

72 

97° 

99° 

121 

295 

[£,i] 

a,i] 

[n2,  n] 

72 

n 

N 

0 

N 

73 

98° 

97° 

119 

296 

[M] 

a,i] 

[!2,1] 

72 

n 

N 

0 

N 

73 

97° 

96° 

118 

297 

[£,i] 

a,i] 

[n2,  i] 

72 

n 

N 

0 

N2 

73 

98° 

100° 

117 

298 

(M 

a4, 1] 

[n2,  n] 

72 

n 

N 

N 

N 

73 

98° 

98° 

123 

299 

[M] 

a4, 1] 

72 

n 

N 

N 

N 

73 

99 

102 

120 

300 

[£,i] 

a4, 1] 

[n2,  i] 

72 

n 

N 

N 

N 2 

73 

101° 

102° 

125 

301 

[£,i] 

[«2, 1] 

[n2,  n] 

72 

n2 

N2 

N 

N 2 

73 

98° 

99° 

122 

302 

[£,i] 

[«2, 1] 

iai| 

72 

n2 

N 2 

N 

N 2 

73 

96° 

99° 

119 

303 

[£,i] 

[«2, 1] 

[n2,  i] 

72 

n2 

N2 

N 

N 

73 

98 

102 

119 

304 

[£,i] 

[a8, 1] 

[n2,  n] 

72 

n2 

N2 

1 

N2 

73 

99° 

95° 

119 

305 

[£,i] 

[a8, 1] 

[H,l] 

72 

n2 

N2 

1 

N 2 

74 

99° 

98° 

120 

306 

[£,i] 

[a8, 1] 

[n2,  i] 

72 

n2 

N2 

1 

N 

73 

99° 

99° 

122 

307 

[LW,  1] 

a4,  a] 

[n2,  n] 

72 

n 

0 

N 

N 

72 

100° 

101° 

124 

308 

[LW,  1] 

4 

a  ,  a 

[n,il 

72 

n 

0 

N 

N 

72 

103 

103 

126 

309 

[L'\  1] 

4 

a  ,  ck 

[n2,  i] 

72 

n 

0 

N 

N 2 

72 

100 

100 

124 

310 

[L1*,  1] 

7 

a8,  a2 

[n2,  n] 

72 

n2 

N 

1 

N2 

72 

99° 

98° 

120 

311 

[■ L 16, 1] 

[ 

a8,  a2 

[f!,l] 

72 

n2 

N 

1 

N 2 

72 

98° 

98° 

125 

312 

[L16, 1] 

[ 

00 

Q 

to 

[n2,  i] 

72 

n2 

N 

1 

N 

72 

97° 

99° 

122 

313 

[■ L 16, 1] 

a,i] 

[n2,  n] 

72 

n 

N 

0 

N 

73 

100° 

98° 

119 

314 

[■ L 16, 1] 

a,i] 

[f!,l] 

72 

n 

N 

0 

N 

73 

101° 

97° 

120 

315 

[Ll\  1] 

.01,1} 

[n2,  i] 

72 

n 

N 

0 

N 2 

73 

101° 

100° 

123 

316 

[Ll\  1] 

a4, 1] 

[n2,  n] 

72 

n 

N 

N 

N 

73 

100° 

100° 

119 

317 

[Ll\  1] 

a4, 1] 

[!J,1] 

72 

n 

N 

N 

N 

73 

100 

101 

121 

318 

[■ L 16, 1] 

a4, 1] 

[n2,  i] 

72 

n 

N 

N 

N 2 

73 

107 

103 

121 

319 

[L16, 1] 

[«2, 1] 

[n2,  n] 

72 

n2 

N2 

N 

N 2 

73 

99° 

100° 

120 

320 

[■ L 16, 1] 

[«2, 1] 

[H,l] 

72 

n2 

N2 

N 

N 2 

73 

98° 

100° 

122 

321 

[L^,  1] 

[«2, 1] 

[n2,  i] 

72 

n2 

N2 

N 

N 

73 

100° 

99° 

121 

322 

[L^,  1] 

[a8, 1] 

[n2,  n] 

72 

n2 

N 2 

1 

N 2 

73 

97° 

97° 

117 

323 

[L1*,  1] 

[a8, 1] 

[f!,l| 

72 

n2 

N 2 

1 

N2 

74 

99° 

98° 

118 

324 

[L^,  1] 

[a8, 1] 

[n2,  i] 

72 

n2 

N 2 

1 

N 

73 

101 

101 

124 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  2s) 

GF(  24) 

GF(  22) 

V 

N 

c 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

325 

[L2, 1] 

ftO&H 

[ft2,  ft] 

74 

11 

1 

N 

N 

72 

99° 

124 

326 

Bam 

i 

2 

1 

[fi,i] 

74 

11 

1 

N 

N 

72 

CO 

00 

o 

99° 

122 

327 

■BUM 

4 

a  ,  a 

[n2,  i] 

74 

11 

1 

N 

N 2 

72 

99° 

99° 

127 

328 

■BUM 

i 

ct8,  a2 

1 

[ft2,  ft] 

74 

ll2 

0 

N 

N 2 

72 

97° 

99° 

116 

329 

nan 

i 

ct8,  a2 

1 

[ii,i] 

74 

ll2 

0 

N 

N 2 

72 

98° 

100° 

124 

330 

[■ L 2, 1] 

I 

ct8,  a2] 

[n2,  i] 

74 

ll2 

0 

N 

N 

72 

98° 

99° 

118 

331 

[■ L 2, 1] 

a,i] 

[ft2,  n] 

74 

1 1 

N2 

1 

N 

73 

102 

102 

123 

332 

[L2, 1] 

a,!] 

[!J,1] 

74 

11 

N2 

1 

N 

73 

101 

102 

124 

333 

Bam 

HI 

[n2,  i] 

74 

11 

N 2 

1 

N2 

74 

102 

105 

124 

334 

■BUM 

Mill 

[n2,  n] 

74 

11 

N2 

N 

N 

73 

99° 

99° 

120 

335 

■BUM 

MBS 

74 

11 

N2 

N 

N 

73 

0 

00 

97° 

121 

336 

K 

Mill' 

[n2,  i] 

74 

11 

N2 

N 

N 2 

73 

99° 

100° 

121 

337 

[■ L 2, 1] 

[«2,  i] 

[n2,  n] 

74 

ll2 

N 

0 

N 2 

73 

o 

o 

o 

102° 

126 

338 

[■ L 2, 1] 

[«2,  i] 

in,i] 

74 

ll2 

N 

0 

102° 

125 

339 

[L2, 1] 

[«2,  i] 

[n2,  i] 

74 

ll2 

N 

0 

N 

73 

o 

o 

o 

103° 

124 

340 

warn 

BHil 

[n2,  n] 

74 

ll2 

N 

N 

N2 

73 

99° 

O 

00 

118 

341 

■BUM 

[H,l] 

74 

ll2 

N 

N 

N 2 

73 

101° 

102° 

123 

342 

[n2,  i] 

74 

1 12 

N 

N 

N 

73 

103 

103 

124 

343 

BMM 

■ 

|  {  f 

[n2,  n] 

74 

11 

1 

N 

N 

72 

100 

105 

126 

344 

[L*2, 1] 

■ 

[H,l] 

74 

11 

1 

N 

N 

72 

103 

102 

125 

345 

[L*  1] 

[n2,  i] 

74 

1 1 

1 

N 

N 2 

72 

103 

104 

127 

346 

Baaa 

i 

gm 

1 

[n2,  ii] 

74 

ll2 

0 

N 

N2 

72 

101 

99 

123 

347 

i 

1 

[f!,l] 

74 

ll2 

0 

N 

N 2 

72 

96° 

96° 

117 

348 

iBam 

[H2, 1] 

74 

ll2 

0 

N 

N 

72 

99 

101 

120 

349 

iBam 

■ 

1M 

[ll2, 11] 

74 

11 

N2 

1 

N 

73 

102 

104 

130 

350 

jam 

an 

[f!,l] 

74 

11 

N2 

1 

N 

73 

103 

103 

125 

351 

[■ L 32 , 1] 

«,!] 

[ll2,  1] 

74 

11 

N2 

1 

N 2 

74 

104 

104 

129 

352 

[■ L 32, 1] 

a4, 1] 

[ll2,  11] 

74 

11 

N 2 

N 

N 

73 

102° 

101° 

126 

353 

■BMM 

*11 

[«,1] 

74 

11 

N2 

N 

N 

73 

105 

103 

126 

354 

■Bam 

[ll2,  1] 

74 

11 

N2 

N 

N 2 

73 

105 

104 

128 

355 

[ll2,  11] 

74 

ll2 

N 

0 

N 2 

73 

102 

102 

124 

356 

•  n 

can 

[11,1] 

74 

ll2 

N 

0 

N 2 

73 

99° 

99° 

118 

357 

[L32, 1] 

[«2,  i] 

[ll2,  1] 

74 

ll2 

N 

0 

N 

73 

102° 

125 

358 

[L32, 1] 

[a8, 1] 

[ll2,  11] 

74 

ll2 

N 

N 

N 2 

73 

124 

359 

[L32, 1] 

[a8, 1] 

[f!,l| 

74 

ll2 

N 

N 

N2 

73 

124 

360 

[L32, 1] 

[a8, 1] 

[ll2,  1] 

74 

ll2 

N 

N 

N 

73 

103 

104 

122 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  2s) 

GF(  24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

361 

[L\  1] 

iO&l 

[n2,  n\ 

78 

ft 

N 

0 

N 

72 

95° 

97° 

119 

362 

mam 

i 

j? 

1 

[fi,i] 

78 

ft 

N 

0 

N 

72 

96° 

97° 

117 

363 

Mail 

4 

a  ,  a 

[n2,  i] 

78 

ft 

N 

0 

N 2 

72 

97° 

98° 

117 

364 

ilft-S' 

i 

ct8,  a2 

1 

[n2,  ft] 

78 

ft2 

1 

N 

N 2 

72 

97° 

96° 

118 

365 

Esffll 

i 

ct8,  a2 

1 

[ft,i] 

78 

ft2 

1 

N 

N 2 

72 

96° 

94° 

115 

366 

[L\  1] 

i 

ct8,  a2] 

[ft2,  i] 

78 

ft2 

1 

N 

N 

72 

95° 

93° 

116 

367 

[L\  1] 

.01,1} 

[ft2,  ft] 

78 

ft 

N 

N 

N 

73 

96° 

97° 

114° 

368 

[L\  1] 

a,!] 

[!J,1] 

78 

ft 

N 

N 

N 

73 

96° 

118 

369 

nssn 

SH 

[ft2,  1] 

78 

ft 

N 

N 

N2 

73 

98° 

99° 

119 

370 

mx,j 

Mill 

[ft2,  ft] 

78 

ft 

N 

0 

N 

73 

97° 

98° 

119 

371 

ini 

MBS 

[f!,l] 

78 

ft 

N 

0 

N 

73 

96° 

97° 

118 

372 

1151 

HiHB' 

[ft2,  1] 

78 

ft 

N 

0 

N 2 

73 

99° 

99° 

117 

373 

[L\  1] 

[«2,  i] 

[ft2,  ft] 

78 

ft2 

N2 

1 

N 2 

73 

101 

98 

122 

374 

[L\  1] 

[«2,  i] 

[fi.l] 

78 

ft2 

N 2 

1 

99° 

120 

375 

[L\  1] 

[«2,  i] 

[ft2,  1] 

78 

ft2 

N2 

1 

N 

73 

98° 

98° 

119 

376 

[L\  1] 

[a8, 1] 

[ft2,  ft] 

78 

ft2 

N2 

N 

N2 

73 

98° 

95° 

110° 

377 

[L\  1] 

[a8, 1] 

[ft,  1] 

78 

ft2 

N2 

N 

N 2 

73 

97° 

95° 

116 

378 

[L\  1] 

[a8, 1] 

[ft2,  1] 

78 

ft2 

N2 

N 

N 

73 

99° 

98° 

120 

379 

[L«\  1] 

a4,  a] 

[ft2,  ft] 

78 

ft 

N 

0 

N 

72 

99° 

102° 

127 

380 

[L™  1] 

4 

a  ,  a 

[ft,  1] 

78 

ft 

N 

0 

N 

72 

102° 

101° 

128 

381 

[L°\  1] 

4 

a  ,  a 

[ft2,  1] 

78 

ft 

N 

0 

N 2 

72 

99° 

101° 

128 

382 

[L°\  1] 

[ 

a8,  a2 

[ft2,  ft] 

78 

ft2 

1 

N 

N2 

72 

99° 

98° 

119 

383 

[L64, 1] 

[ 

a8,  a2 

[f!,l] 

78 

ft2 

1 

N 

N 2 

72 

99° 

100° 

120 

384 

[L64, 1] 

[ 

00 

p 

to 

[ft2,  1] 

78 

ft2 

1 

N 

N 

72 

99° 

98° 

122 

385 

[L64, 1] 

}a,l] 

[ft2,  ft] 

78 

ft 

N 

N 

N 

73 

100° 

100° 

121 

386 

[L64, 1] 

«,  1} 

[f!,l] 

78 

ft 

N 

N 

N 

73 

102° 

100° 

124 

387 

[L™  1] 

«,  1} 

[ft2,  1] 

78 

ft 

N 

N 

N 2 

73 

101 

104 

124 

388 

[L“  1] 

a4, 1] 

[ft2,  ft] 

78 

ft 

N 

0 

N 

73 

98° 

101° 

123 

389 

[L™,  1] 

a4, 1] 

[S2,l] 

78 

ft 

N 

0 

N 

73 

100° 

99° 

124 

390 

[L«\  1] 

a4, 1] 

[ft2,  1] 

78 

ft 

N 

0 

N 2 

73 

103 

101 

121 

391 

[L«\  1] 

[«2, 1] 

[ft2,  ft] 

78 

ft2 

N2 

1 

N 2 

73 

99° 

100° 

123 

392 

[L«\  1] 

[«2, 1] 

[ft,  1] 

78 

ft2 

N2 

1 

N 2 

74 

102° 

100° 

122 

393 

[L«\  1] 

[«2, 1] 

[ft2,  1] 

78 

ft2 

N2 

1 

N 

73 

102 

101 

124 

394 

[L64, 1] 

[a8, 1] 

[ft2,  ft] 

78 

ft2 

N 2 

N 

N 2 

73 

101° 

99° 

120 

395 

[L64, 1] 

[a8, 1] 

[f!,l| 

78 

ft2 

N 2 

N 

N2 

73 

99° 

99° 

121 

396 

[L«\  1] 

[a8, 1] 

[ft2,  1] 

78 

ft2 

N2 

N 

N 

73 

104 

101 

121 
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Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(  28) 

GF(  24) 

GF(  22) 

V 

IV 

c 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

397 

[L*,  1] 

4 

|ar,  a\ 

[n2,  n] 

7 

H 

N 

1 

N 

72 

102 

103 

125 

398 

[L\  1] 

4 

a  ,  a 

[«,i] 

7 

n 

N 

1 

N 

72 

103 

101 

123 

399 

[L8, 1] 

4 

a  ,  a 

[n2,i] 

7 

n 

N 

1 

N2 

72 

104 

102 

123 

400 

[L8, 1] 

[ 

cr8,  a2 

[n2,  n\ 

7 

n2 

N 

0 

N2 

72 

102 

102 

120 

401 

[L8, 1] 

[ 

a8,  a 2 

[«,i] 

7 

n2 

N 

0 

N2 

72 

99° 

100° 

119 

402 

[L8, 1] 

I 

cn8,  a2} 

[^2,  i] 

7 

n2 

N 

0 

N 

72 

99° 

98° 

121 

403 

[L\  1] 

a,i] 

[n2,  n] 

7 

n 

N 2 

N 

N 

73 

102 

104 

123 

404 

[L\  1] 

a,i] 

[n,i] 

7 

n 

N 2 

N 

N 

73 

102 

103 

120 

405 

[L8, 1] 

.01,1} 

[^2,  1] 

7 

n 

N2 

N 

N 2 

73 

105 

109 

123 

406 

[■ L 8, 1] 

a4, 1] 

[fi2, 11] 

7 

n 

N2 

1 

N 

73 

103 

107 

129 

407 

[L8, 1] 

a4, 1] 

[!i,l] 

7 

n 

N2 

1 

N 

73 

102 

104 

125 

408 

[L8, 1] 

a4, 1] 

[n2,i] 

7 

n 

N2 

1 

N2 

74 

105 

105 

128 

409 

[L8, 1] 

[«2,1] 

[n2,  n\ 

7 

n2 

N 

N 

N2 

73 

104 

105 

125 

410 

[L\  1] 

[«2,1] 

[ai] 

7 

n2 

N 

N 

N2 

73 

102 

104 

121 

411 

[L\  1] 

[«2,1] 

[n2,i] 

7 

n2 

N 

N 

N 

73 

102 

105 

125 

412 

[L\  1] 

[a8, 1] 

[n2,  n] 

7 

n2 

N 

0 

N 2 

73 

103 

102 

121 

413 

[L8, 1] 

[a8, 1] 

[«,i] 

7 

n2 

N 

0 

N2 

73 

102 

103 

119 

414 

l-t8,  i] 

[a8, 1] 

[n2,i] 

7 

n2 

N 

0 

N 

73 

100° 

101° 

123 

415 

[■ L 128, 1] 

a4,  a] 

[n2,  n] 

7 

n 

N 

1 

N 

72 

103 

101 

127 

416 

[L™,  1] 

4 

a  ,  a 

[«,i] 

7 

n 

N 

1 

N 

72 

101° 

100° 

120 

417 

[L™,  1] 

4 

a  ,  CK 

[n2,i] 

7 

n 

N 

1 

N2 

72 

104 

104 

128 

418 

[L™,  1] 

7 

a8,  a2 

[n2,  n] 

7 

n2 

N 

0 

N 2 

72 

100 

100 

118 

419 

[Lr28,  1] 

[ 

ct8,  a2 

[n,i] 

7 

n2 

N 

0 

N2 

72 

97° 

101° 

122 

420 

[Lr28,  1] 

[ 

ct8,  a2} 

[n2,i] 

7 

n2 

N 

0 

N 

72 

102 

102 

123 

421 

[L128,  1] 

.01,1} 

[n2,  n] 

7 

n 

N2 

N 

N 

73 

103 

104 

122 

422 

[L128,  1] 

.01,1} 

[H,  i] 

7 

n 

N2 

N 

N 

73 

101° 

100° 

122 

423 

[L™,  1] 

Oi,  1} 

[n2,i] 

7 

n 

N 2 

N 

N 2 

73 

104 

103 

127 

424 

[L128,  1] 

a4, 1] 

[n2,  n] 

7 

n 

N 2 

1 

N 

73 

104 

105 

126 

425 

[L128,  1] 

a4, 1] 

[«,i] 

7 

n 

N2 

1 

N 

73 

100 

102 

125 

426 

[L128,  1] 

a4, 1] 

[n2,  i] 

7 

n 

N2 

1 

N2 

74 

107 

106 

131 

427 

[L128,  1] 

[«2,1] 

[n2,  n] 

7 

n2 

N 

N 

N2 

73 

103 

105 

124 

428 

[L128, 1] 

[«2,1] 

[«,i] 

7 

n2 

N 

N 

N2 

73 

100 

101 

122 

429 

[L128,  1] 

[«2,1] 

[n2,  i] 

7 

n2 

N 

N 

N 

73 

101 

105 

128 

430 

[L™,  1] 

[a8, 1] 

[n2,  n] 

7 

n2 

N 

0 

N2 

73 

98° 

100° 

118 

431 

[L428,  1] 

[«8, 1] 

[«,i] 

7 

n2 

N 

0 

N 2 

73 

97° 

99° 

120 

432 

[L™,  1] 

K,  1] 

[n2,  i] 

7 

n2 

N 

0 

N 

73 

101° 

101° 

121 
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